ARMS-D-Request@XX.LCS.MIT.EDU (Moderator) (11/10/86)
Arms-Discussion Digest Sunday, November 9, 1986 4:31PM
Volume 7, Issue 53
Today's Topics:
Meteorite as A-explosion
Yet more on SDI (Star Wars flawed #4-of-10)
Unequivocal Confirmation of Detonation
Perfection of SDI (from RISKS)
defenses, first strike
defenses, first strike
Unequivocal confirmation of detonation
Unequivocal confirmation of detonation
----------------------------------------------------------------------
Date: Sat, 8 Nov 86 07:22:21 PST
From: Steve Walton <ametek!walton@csvax.caltech.edu>
Subject: Meteorite as A-explosion
In Arms-D V7 #46, Larry Campbell writes:
Just a thought... would current systems (both technical and human) be
able to distinguish a nuclear attack from the impact of a very large
meteorite? How about an anti-matter meteorite?
I think the answer is "yes." There is only a small chance that a
meteorite would hit in the middle of a major city; it is much more
likely to land in the ocean. No radiation, of course, which I think
is why Larry asks about anti-matter meteorites. This is a vanishingly
small probability. There is no evidence that there is a significant
concentration of anti-matter anywhere in our Galaxy. Besides, the
conversion of 1 gram of anti-matter (a cube less than 1 cm on a side)
to energy would produce 9 x 10^20 ergs of energy, which is probably
enough to split the earth in two. (I can't find the conversion from
ergs to megatons in the CRC, even though it tells me that there are
160 square perches in an acre.) Such a particle would also produce a
long trail of annhilations on its way in to the Solar System, due to
collisions with the atoms in the solar wind, the density of which is
about 10 atoms per cubic centimeter near the earth and more than 1 per
cc even at Jupiter. The resulting trail would be easily visible.
Steve Walton
------------------------------
Date: Monday, 3 November 1986 08:05-EST
From: Jane Hesketh <jane%aiva.edinburgh.ac.uk at Cs.Ucl.AC.UK>
To: ARMS-D
Subject: Yet more on SDI (Star Wars flawed #4-of-10)
Formulation of an Adequate Specification
Jane Hesketh
The area I want to address is the start of the system
development path. It is the initial step of analysing the
task, identifying the requirements, and thence generating a
specification. Here, I am using the term specification in a
large sense initially to describe a whole system, including
the computing sub-system. This is one of the most crucial
stages, because no amount of good engineering practice or
provably correct code synthesis can make a silk purse out of
a sow's ear. Any errors made here proliferate through the
entire system, even if they are recognised, their
eradication and correction is often expensive and liable to
introduce other errors which were not previously present.
Outline
o+ What must this stage cover? Which aspects of SDI will
make most demands on its designers?
o+ What existing approaches to analysis and specification
are there within the computing disciplines?
o+ How much of a remedy for their shortcomings can we look
forward to?
o+ Inherent limitations of (computer) modelling and
control
What must this stage cover? Which aspects of SDI will make
most demands on its designers?
This is a broad area of work, of which formulating the
computing specification is an integral part. It must
include at least the following:
(1) Stating the problem, making an initial analysis of the
potential overall feasible solutions and selecting one.
(2) Describing everything that might relate to the task's
accomplishment sufficiently precisely. Trying to
minimise errors of omission or commission, ambiguities
and inconsistencies.
(3) Designing a system to perform the desired task,
including:
o+ Defining requirements for the production of the system,
e.g. cost, timescale, prototypes, design freeze
points, coordination of hardware and software
development.
o+ Designing interfaces between units and communications
between distributed subsystems.
o+ Failure characteristics of the system, both active and
passive.
(4) Planning appropriate testing
(5) Designing for modifiability and maintainability - to
make it possible to correct mistakes in the system and
to enable it to be altered to satisfy changing
requirements.
Although the system may be hierarchically defined, none of
the above can be avoided, indeed they apply at all levels.
Higher levels of the system must plan to cope with all the
kinds of signals which may be manifested by lower levels,
for whatever reason - correct operation, operator error,
mechanical failure, component failure, power failure, enemy
action etc.
SDI will make huge demands in almost all respects. It
will be a vast and complex system, situated in a rich
environment full of diverse stimuli. Its potential effects
will be far-reaching, so a high degree of precision in its
specification is essential. The space of opportunities for
error will be orders of magnitude greater than the problem
space.
Inherently, a lack of stability of the problem means
that even if a system can be produced, it will be unmatched
to its task for some of the time. The extent to which this
is acceptable must be determined. The BMS will face a
continually changing world. Its own deployment will be a
significant cause of change.
What existing approaches to analysis and specification are
there within the computing disciplines?
Motivated largely by the increasing cost of producing and
maintaining computer software, there have been moves by
computing practitioners to develop better techniques for
software development. These have concentrated largely on
making the task of programming more routine, given a
specification, since this is reasonably tractable.
Formulating the analysis and design task has been largely
avoided as being more creative and requiring the involvement
of humans. Over the last couple of decades various systems
have emerged intended to encourage if not enforce good
programming and good design, increasingly attempting to
attack the problem at higher and higher levels. We have
moved from assembly code to higher level languages, and use
of structured programming techniques is widespread to
control programs written in the higher level languages.
Nowadays, we are seeing the beginning of packages
designed to be analysts' workbenches - for example graphical
representations of data flow diagrams which can be
automatically converted into specifications which can in
turn be verified and converted into code. Internal
inconsistencies and ambiguities can be flushed out. They
are however, limited, in terms of the kinds of model and
range of task they encompass. Structured programming
techniques, for example, suit data processing applications,
but do not deal well with a wide variety of error conditions
or interrupt handling. Equivalent techniques exist for
things like parallel processing or real-time tasks. All,
however, can only refine a specification, they can't invent
it.
In parallel, there has been a move in academic computing
circles towards the automatic generation and verification of
code based on some kind of formally defined specification
language. The lessons of this indicate the extent to which
the capabilities of such systems will be circumscribed,
particularly with respect to the power of language they will
be able to express. The logics we have at present are not
good enough to mirror real world problems of any
sophistication.
Both of these approaches therefore, deal essentially
with the design, assuming the analysis is correct and
complete. In both cases, it is clear that no amount of
automation will do better than guarantee the correctness of
a program to perform a stupid task if that is what is
specified.
How much of a remedy for their shortcomings can we look
forward to?
In order to extend what has been done, the remedies we would
look for would demand the development of logics which could
represent more closely the world as we know it. We will be
able to set out specifications in formal languages which are
increasingly
o+ understandable to non-specialists
o+ able to describe more elaborate notions such as time,
belief and uncertainty
But the potential for an extension of rigour to the analysis
step or the generation of specifications is limited. If the
designer fails to anticipate some combination of
circumstances, miscalculates tolerances, or fails to define
an event precisely enough to make it unerringly
identifiable, it is unlikely that internal inconsistencies
will result as a warning. For some systems in relatively
self-contained toy worlds, a little progress might be made,
by encoding their `world' knowledge. For any large scale
problem in the real world, that is impossible.
Inherent limitations of (computer) modelling and control
When completed, the specification (and the system itself)
form a model of appropriate reaction under threat, which
happens to actually react, unlike most models. Even with
improved tools, we are confronted with the need to model
parts of the world and the task we want performed, in some
combination of equipment and language.
There is nothing unique to computing about this.
Engineers model bridges, educationalists model learning
processes and economists model financial systems. Even the
act of describing something, whether in English or logic, is
modelling. From time to time, everyone faces the question
of whether their model is appropriate. As they take the
great leap of confidence into their model, work out what it
suggests to them about the problem posed, and emerge, can
they trust the answers? Models will never wholly replicate
reality. However similar, a mechanical heart does not have
quite the same properties as a human one, and a computer
model of a transport system will probably not actually
experience flooding or suicide even though it may
incorporate them statistically.
We cannot even expect to know what all the limitations
of each model are. When we try to decide whether or not it
is suitable in each case, expert opinion rarely concurs in
problems of any significant complexity.
Since we cannot guarantee perfect matching between
problems and their representations, we cannot guarantee the
appropriateness of the solutions generated in computing any
more than in any other discipline.
Summary
o+ Analysis and specification are complex tasks which are
notoriously difficult to get right even for small
problems, and impossible for larger ones - especially
those whose potential for error is considerable.
o+ Many attempts have been made to improve the quality of
the systems produced, but they are limited by their
reliance on having good specifications to start with.
o+ We can develop more powerful and more robust ways of
expressing specifications, but we can't ensure their
correctness or completeness with respect to our
original intentions.
o+ All the systems we can produce will rely on models of
the world and the task they are to perform. Models can
never wholly match reality. So we must always be aware
of the limitations of our systems.
Information about the author
Jane Hesketh is currently a Research Associate at the
Department of Artificial Intelligence, University of
Edinburgh. She has previously worked as a senior programmer
at St Thomas' Hospital, London, responsible for systems
directly concerned with patients' medical care, and as a
senior analyst/programmer at Heriot-Watt University Computer
Centre, with special responsibility for microprocessor
applications. She has a BA(Hons) in Mathematics from
Cambridge University, and an MSc in Statistics from London
University.
------------------------------
From: hplabs!pyramid!utzoo!henry@ucbvax.Berkeley.EDU
Date: Sun, 9 Nov 86 08:40:11 pst
Subject: Unequivocal Confirmation of Detonation
> That is not a fundamental limitation. The President's airplane can
> stay aloft for 72 hours. If we wanted to keep the bombers aloft for
> 24 hours, we could. (Besides, B52's *have* been kept in the air for
> about 24 hours.)
They've been kept aloft much longer than that... given adequate tanker
support. A late-model B-52 can stay airborne about 24 hours *without*
refuelling (despite aircraft and engines both being 20 years obsolete),
but at the end of that its tanks are dry and it goes down. None of the
tankers can come anywhere near that performance, however. Furthermore,
my impression is that very little of the tanker force is normally on
runway alert, which means the tankers get destroyed on the ground. Even
those that get off haven't the payload and endurance to be very useful
unless they can land and refuel somewhere. The best of the tankers --
the KC-10s and the re-engined KC-135s -- might be able to stay up 12
hours and offload a modest amount of fuel, after which they go down.
So they might be able to leave a small number of B-52s with full tanks
at the 12-hour mark, which will suffice for a one-way mission with the
"go" order at the 24-hour mark. That is about the last time it can be
given, since the E-4B carrying the president will run out of fuel before
much longer even if it tanked up at the 12-hour mark. It has enough oil
and minor consumables for 72 hours, but for fuel it's a normal 747, good
for maybe 12-15 hours unless refuelled. No tankers after X+12 means no
E-4B after about X+24. Ditto for Looking Glass, Tacamo, etc.
If the B-52Hs were re-engined with modern engines, they would probably
have an unrefuelled endurance of 36 hours or so, making the idea rather
more feasible. A B-52 built with modern technology throughout might
reach 48 hours or more, but it's unlikely that anything like that will
be done. It's a little pointless, anyway, since the airborne command
posts have so much less endurance.
Related thought: if the B-52s and B-1s get airborne under attack, a
large percentage of the surviving bomber crews will be able to personally
verify nuclear explosions on US soil. They don't scramble that fast; they
will know about it when the base behind them gets blasted. How good are
the bomber -> command communications? (Communications systems intended
for "go" orders aren't necessarily two-way.)
Henry Spencer @ U of Toronto Zoology
{allegra,ihnp4,decvax,pyramid}!utzoo!henry
------------------------------
Date: Tuesday, 28 October 1986 10:48-EST
From: LIN
To: RISKS-LIST:, Douglas Humphrey <deh at ENEEVAX.UMD.EDU>
cc: risks at CSL.SRI.COM, arms-d
Re: Perfection
From: Douglas Humphrey <deh at eneevax.umd.edu>
To LIN : In response to a message, you state that none of the anti-SDI
folk ever stated that the software had to be perfect. I have
heard constantly in both the widely read (Washington Post) and
limited (?) distribution industry media (Aviation Leak and
Space Mythology) SDI critics that conte[x]t that it must be perfect
or it is useless. I don't bel[ie]ve this, and I would hope you
don't either, but saying that the whole must be perfect
certainly implies that the parts must be perfect.
Please give a citation. The only place I have ever seen a statement about
required "perfection" came in an article written by James Fletcher, of the
Fletcher Commission, who clearly states that "an enormous and error-free
program" would be required. Fletcher hardly counts as a critic.
[I held this one up hoping for a response... PGN]
I don't deny that you have heard what you say you have heard, but the
only inference I can draw is that neither the Post nor AWAST have
correctly reported the critics' position.
What critics DO say is that you can never know if BMD software will work in
the absence of realistic testing. KNOWING that a program will work properly
without error is a different, and more demanding, condition than whether or
not it *actually* will if put to the test. Moreover, critics do not have
faith that it is possible to predict all of the ways that the Soviets might
attack; we do believe that the Soviets *might* be able to attack in a way
that would result in catastrophic failure.
On the general issue of "perfection", critics believe that the statement of
mission requirements comes from the President of the United States and the
Secretary of Defense, who assert that SDI is a way to protect everybody
against nuclear ballistic missiles. They get funding from Congress on that
claim, and they present it to the American people that way. If they want to
use it for something else, such as improving the ability of the U.S. to
retaliate, then let them say so. Until the proponents admit POLITICALLY
that their goal is infeasible, critics have a responsibility to confront
them with their fallacies. You may acknowledge that their goal is
infeasible, in which case we can argue about what goals are feasible, but
you are not the President. If you want to criticize someone for asserting
perfection, dump on the highest levels of the Administration, because they
are the ones that set the terms of the debate.
------------------------------
Date: Saturday, 8 November 1986 20:45-EST
From: cfccs at HAWAII-EMH
To: ARMS-D
Re: defenses, first strike
Let me see if I have all this down correctly. Our current system of
defense (and that of the Soviet Union) cannot be 100% incapacitated
because of the mobility of some of the components (subs and possible
bommbers). This effectively means that if either side launches a
first strike and successfully destroys the main forces of the other,
there will still be enough left to destroy the population of the
attacker. This logically leads to the assumption that neither side
will launch a first strike unless they can be sure of their own self
preservation.
On the other hand, there is always the chance of an accident or
irresponsible entity (terrorist or terroristic country?) who has
nothing to lose, getting a nuclear weapon capability and using it
indiscriminately. It seems that no amount of retaliation will deter a
fanatic who has already decided to give up his life for his cause.
This brings us to the SDI issue. I have heard many complaints that
the technology does not exist to develop a 100% effective defense.
That may or may not be true depending on the expert you listen to.
The fact exists that unless something is tried, it cannot be realized
(gained?). The SDI system will be developed in phases or versions.
Each will be an improvemnet using newer technology. Each will reach
new goals which will have been set based on the capabilities and
requirements of the day. This is the way a system of such magnitude
is designed. Not a one-time failsafe cure-all. I am really surprised
at some of the informed experts who have thumbed their noses at
developing this new direction in technology because "...it can't be
done". The history books are littered with the names of 'experts' who
were quoted saying those very words shortly before the 'impossible'
became 'reality'. The only thing I can think of that could be
motivating these people to speak out against moving *toward* this
technology is politics. They must have a vested interest in the
present system and don't want to see their own cart of apples upset.
Anti-nuclear technology may be the only way to make nuclear weapons
obsolete. Banning them won't do it because they already exist.
Making them illegal means only the law breakers will develop them. I
know that what we have all heard about SDI will not cure all the ills
of nuclear weaponry, but isn't it a start? What is the alternative?
Gary Holt
CFCCS AWAII-EMH
------------------------------
Date: Sun, 9 Nov 1986 16:07 EST
From: LIN@XX.LCS.MIT.EDU
Subject: defenses, first strike
From: cfccs at HAWAII-EMH
Let me see if I have all this down correctly. Our current system of
defense (and that of the Soviet Union) cannot be 100% incapacitated
because of the mobility of some of the components (subs and possible
bommbers).
Actually, you would be hard pressed to destroy all of the fixed
land-based missiles too. How many would be left is a different
question. Even 100 surviving missiles (out of 1000) would be rather
potent.
This effectively means that if either side launches a
first strike and successfully destroys the main forces of the other,
there will still be enough left to destroy the population of the
attacker. This logically leads to the assumption that neither side
will launch a first strike unless they can be sure of their own self
preservation.
Right. That is the theory.
On the other hand, there is always the chance of an accident or
irresponsible entity (terrorist or terroristic country?) who has
nothing to lose, getting a nuclear weapon capability and using it
indiscriminately. It seems that no amount of retaliation will deter a
fanatic who has already decided to give up his life for his cause.
True. But you have capabilities to determine who is about to do that.
Libya? They won't get them very quickly or very soon, and in that
case (how likely is a Libyan ICBM?) we launch a pre-emptive strike on
them. You can certainly construct scenarios now in which the Soviet
Union is ruled by a madman, but you have to describe how that could
happen from the world we live in now.
This brings us to the SDI issue. I have heard many complaints that
the technology does not exist to develop a 100% effective defense.
That may or may not be true depending on the expert you listen to.
The fact exists that unless something is tried, it cannot be realized
(gained?).
Hardly. Would you support research into perpetual motion? Into
immortality? Into psychokinesis? Maybe in a world with unlimited
funding, you would, but this isn't that world.
The history books are littered with the names of 'experts' who
were quoted saying those very words shortly before the 'impossible'
became 'reality'.
But the fact that experts have been wrong doesn't mean that experts
are wrong now. N-rays, telepathy, spontaneous generation were all
laughed at by some, and they have been consigned to the scrap heap.
The only thing I can think of that could be
motivating these people to speak out against moving *toward* this
technology is politics. They must have a vested interest in the
present system and don't want to see their own cart of apples upset.
Some of us don't like to see scarce resources wasted when there are so
many more pressing problems with higher odds of success.
Making them illegal means only the law breakers will develop them. I
know that what we have all heard about SDI will not cure all the ills
of nuclear weaponry, but isn't it a start? What is the alternative?
The alternative is to work on problems that we have a chance of
solving. Some research on SDI stuff is warranted, in my view. But it
should be put into the very-long-shot category. Making it the
centerpiece of U.S. policy is not the thing to do.
------------------------------
Date: Sunday, 9 November 1986 10:57-EST
From: The Computer is your friend! <"NGSTL1::SHERZER%ti-eg.csnet" at RELAY.CS.NET>
To: arms-d
Re: Unequivocal confirmation of detonation
X-VMS-To: SKACSL::IN%"lin%xx.lcs.mit.edu@csnet-relay"
>> From: <"NGSTL1::SHERZER%ti-eg.csnet" at RELAY.CS.NET>
>> Given that we have a place for tankers to land and refuel, we can keep
>> SOME of the bombers in the air for 24 hours. This means the use of
>> airfields which will not exist after the Soviet attack so it is not
>> feasable in this situation. Also, the time needed is more like 36 hours
>> (they still need to fly to the USSR). After talking with a firend
>> who is a retired tanker navigator, I was assured that it is not
>> possible to keep the tanker and bobmer force aloft for the 24 hours
>> (much less the actual 36 hours).
>> So, after 24 hours, we have no land based ICBM's, no bombers, some
>> (exact number unknown) of subs. We also have no way to order the
>> retaliation (because of no C3).
> I agree we can't keep the entire force in the air for 24 hours. But
> as you note, we can keep some of it in the air for that long.
> Submarines are capable of launching without a go-code. That is still
> a formidable force.
You misunderstand what I said. The tankers cannot keep THEMSELVES (not
to mention the bombers) in the air for 24 hours. This means that NONE
of the bomber force would survive.
As to the sub. force, how do they launce without a go-code? Do they launch
if they fail to make contact with the outside world? That means the first
sub with a broker receiver could start WWIII. Do they surface and try to
make contact that way? If so, that would make them very vunerable. Finally,
the reason we have the triad is to pervent an advance in some capability
from destroying all our capabilities. This policy (wait 24 hours) would
put all our eggs in one basket. It the Soviet ASW capability ever gets
a lot better (or is better than we think from unclassified sources),
our entire strategic force would be eliminated.
Allen Sherzer
sherzer%ngstl1@ti-eg.csnet
------------------------------
Date: Sun, 9 Nov 1986 16:27 EST
From: LIN@XX.LCS.MIT.EDU
Subject: Unequivocal confirmation of detonation
From: "NGSTL1::SHERZER%ti-eg.csnet" at RELAY.CS.NET>
You misunderstand what I said. The tankers cannot keep THEMSELVES (not
to mention the bombers) in the air for 24 hours. This means that NONE
of the bomber force would survive.
But they could. There is no intrinsic reason that a tanker cannot
itself be refueled in the air.
As to the sub. force, how do they launce without a go-code? Do they launch
if they fail to make contact with the outside world? That means the first
sub with a broker receiver could start WWIII. Do they surface and try to
make contact that way? If so, that would make them very vulnerable.
Subs are capable of launching without a go-code. That means that even
in the absence of orders to launch, they can do so. That takes care
of your objection about submarines. You raise other questions, which
I will address, but note that the submarines are still potent.
I have spoken to a couple of submarine officers. They have said that
they are under orders to wait, and then try to monitor other radio
traffic. In a pinch, they have orders to go back to the base to look.
A submarine has many ways of getting information from the world, even
without surfacing. Even if it does, the ocean is a big place, and
poking an antenna above the water for 10 seconds is not likely to be
seen.
the reason we have the triad is to pervent an advance in some capability
from destroying all our capabilities.
In the event that the Soviets achieve a significant ASW advance, then
I will rethink the policy. In the meantime, we should concern
ourselves with what is true now.
.... It the Soviet ASW capability ever gets
a lot better (or is better than we think from unclassified sources),
our entire strategic force would be eliminated.
The Navy has categorically stated that the present SSBN force is
not vulnerable to current Soviet ASW. While they may elaborate on
this in classified testimony, they will not flatly contradict it.
------------------------------
End of Arms-Discussion Digest
*****************************