ARMS-D-Request@XX.LCS.MIT.EDU (Moderator) (11/10/86)
Arms-Discussion Digest Sunday, November 9, 1986 4:31PM Volume 7, Issue 53 Today's Topics: Meteorite as A-explosion Yet more on SDI (Star Wars flawed #4-of-10) Unequivocal Confirmation of Detonation Perfection of SDI (from RISKS) defenses, first strike defenses, first strike Unequivocal confirmation of detonation Unequivocal confirmation of detonation ---------------------------------------------------------------------- Date: Sat, 8 Nov 86 07:22:21 PST From: Steve Walton <ametek!walton@csvax.caltech.edu> Subject: Meteorite as A-explosion In Arms-D V7 #46, Larry Campbell writes: Just a thought... would current systems (both technical and human) be able to distinguish a nuclear attack from the impact of a very large meteorite? How about an anti-matter meteorite? I think the answer is "yes." There is only a small chance that a meteorite would hit in the middle of a major city; it is much more likely to land in the ocean. No radiation, of course, which I think is why Larry asks about anti-matter meteorites. This is a vanishingly small probability. There is no evidence that there is a significant concentration of anti-matter anywhere in our Galaxy. Besides, the conversion of 1 gram of anti-matter (a cube less than 1 cm on a side) to energy would produce 9 x 10^20 ergs of energy, which is probably enough to split the earth in two. (I can't find the conversion from ergs to megatons in the CRC, even though it tells me that there are 160 square perches in an acre.) Such a particle would also produce a long trail of annhilations on its way in to the Solar System, due to collisions with the atoms in the solar wind, the density of which is about 10 atoms per cubic centimeter near the earth and more than 1 per cc even at Jupiter. The resulting trail would be easily visible. Steve Walton ------------------------------ Date: Monday, 3 November 1986 08:05-EST From: Jane Hesketh <jane%aiva.edinburgh.ac.uk at Cs.Ucl.AC.UK> To: ARMS-D Subject: Yet more on SDI (Star Wars flawed #4-of-10) Formulation of an Adequate Specification Jane Hesketh The area I want to address is the start of the system development path. It is the initial step of analysing the task, identifying the requirements, and thence generating a specification. Here, I am using the term specification in a large sense initially to describe a whole system, including the computing sub-system. This is one of the most crucial stages, because no amount of good engineering practice or provably correct code synthesis can make a silk purse out of a sow's ear. Any errors made here proliferate through the entire system, even if they are recognised, their eradication and correction is often expensive and liable to introduce other errors which were not previously present. Outline o+ What must this stage cover? Which aspects of SDI will make most demands on its designers? o+ What existing approaches to analysis and specification are there within the computing disciplines? o+ How much of a remedy for their shortcomings can we look forward to? o+ Inherent limitations of (computer) modelling and control What must this stage cover? Which aspects of SDI will make most demands on its designers? This is a broad area of work, of which formulating the computing specification is an integral part. It must include at least the following: (1) Stating the problem, making an initial analysis of the potential overall feasible solutions and selecting one. (2) Describing everything that might relate to the task's accomplishment sufficiently precisely. Trying to minimise errors of omission or commission, ambiguities and inconsistencies. (3) Designing a system to perform the desired task, including: o+ Defining requirements for the production of the system, e.g. cost, timescale, prototypes, design freeze points, coordination of hardware and software development. o+ Designing interfaces between units and communications between distributed subsystems. o+ Failure characteristics of the system, both active and passive. (4) Planning appropriate testing (5) Designing for modifiability and maintainability - to make it possible to correct mistakes in the system and to enable it to be altered to satisfy changing requirements. Although the system may be hierarchically defined, none of the above can be avoided, indeed they apply at all levels. Higher levels of the system must plan to cope with all the kinds of signals which may be manifested by lower levels, for whatever reason - correct operation, operator error, mechanical failure, component failure, power failure, enemy action etc. SDI will make huge demands in almost all respects. It will be a vast and complex system, situated in a rich environment full of diverse stimuli. Its potential effects will be far-reaching, so a high degree of precision in its specification is essential. The space of opportunities for error will be orders of magnitude greater than the problem space. Inherently, a lack of stability of the problem means that even if a system can be produced, it will be unmatched to its task for some of the time. The extent to which this is acceptable must be determined. The BMS will face a continually changing world. Its own deployment will be a significant cause of change. What existing approaches to analysis and specification are there within the computing disciplines? Motivated largely by the increasing cost of producing and maintaining computer software, there have been moves by computing practitioners to develop better techniques for software development. These have concentrated largely on making the task of programming more routine, given a specification, since this is reasonably tractable. Formulating the analysis and design task has been largely avoided as being more creative and requiring the involvement of humans. Over the last couple of decades various systems have emerged intended to encourage if not enforce good programming and good design, increasingly attempting to attack the problem at higher and higher levels. We have moved from assembly code to higher level languages, and use of structured programming techniques is widespread to control programs written in the higher level languages. Nowadays, we are seeing the beginning of packages designed to be analysts' workbenches - for example graphical representations of data flow diagrams which can be automatically converted into specifications which can in turn be verified and converted into code. Internal inconsistencies and ambiguities can be flushed out. They are however, limited, in terms of the kinds of model and range of task they encompass. Structured programming techniques, for example, suit data processing applications, but do not deal well with a wide variety of error conditions or interrupt handling. Equivalent techniques exist for things like parallel processing or real-time tasks. All, however, can only refine a specification, they can't invent it. In parallel, there has been a move in academic computing circles towards the automatic generation and verification of code based on some kind of formally defined specification language. The lessons of this indicate the extent to which the capabilities of such systems will be circumscribed, particularly with respect to the power of language they will be able to express. The logics we have at present are not good enough to mirror real world problems of any sophistication. Both of these approaches therefore, deal essentially with the design, assuming the analysis is correct and complete. In both cases, it is clear that no amount of automation will do better than guarantee the correctness of a program to perform a stupid task if that is what is specified. How much of a remedy for their shortcomings can we look forward to? In order to extend what has been done, the remedies we would look for would demand the development of logics which could represent more closely the world as we know it. We will be able to set out specifications in formal languages which are increasingly o+ understandable to non-specialists o+ able to describe more elaborate notions such as time, belief and uncertainty But the potential for an extension of rigour to the analysis step or the generation of specifications is limited. If the designer fails to anticipate some combination of circumstances, miscalculates tolerances, or fails to define an event precisely enough to make it unerringly identifiable, it is unlikely that internal inconsistencies will result as a warning. For some systems in relatively self-contained toy worlds, a little progress might be made, by encoding their `world' knowledge. For any large scale problem in the real world, that is impossible. Inherent limitations of (computer) modelling and control When completed, the specification (and the system itself) form a model of appropriate reaction under threat, which happens to actually react, unlike most models. Even with improved tools, we are confronted with the need to model parts of the world and the task we want performed, in some combination of equipment and language. There is nothing unique to computing about this. Engineers model bridges, educationalists model learning processes and economists model financial systems. Even the act of describing something, whether in English or logic, is modelling. From time to time, everyone faces the question of whether their model is appropriate. As they take the great leap of confidence into their model, work out what it suggests to them about the problem posed, and emerge, can they trust the answers? Models will never wholly replicate reality. However similar, a mechanical heart does not have quite the same properties as a human one, and a computer model of a transport system will probably not actually experience flooding or suicide even though it may incorporate them statistically. We cannot even expect to know what all the limitations of each model are. When we try to decide whether or not it is suitable in each case, expert opinion rarely concurs in problems of any significant complexity. Since we cannot guarantee perfect matching between problems and their representations, we cannot guarantee the appropriateness of the solutions generated in computing any more than in any other discipline. Summary o+ Analysis and specification are complex tasks which are notoriously difficult to get right even for small problems, and impossible for larger ones - especially those whose potential for error is considerable. o+ Many attempts have been made to improve the quality of the systems produced, but they are limited by their reliance on having good specifications to start with. o+ We can develop more powerful and more robust ways of expressing specifications, but we can't ensure their correctness or completeness with respect to our original intentions. o+ All the systems we can produce will rely on models of the world and the task they are to perform. Models can never wholly match reality. So we must always be aware of the limitations of our systems. Information about the author Jane Hesketh is currently a Research Associate at the Department of Artificial Intelligence, University of Edinburgh. She has previously worked as a senior programmer at St Thomas' Hospital, London, responsible for systems directly concerned with patients' medical care, and as a senior analyst/programmer at Heriot-Watt University Computer Centre, with special responsibility for microprocessor applications. She has a BA(Hons) in Mathematics from Cambridge University, and an MSc in Statistics from London University. ------------------------------ From: hplabs!pyramid!utzoo!henry@ucbvax.Berkeley.EDU Date: Sun, 9 Nov 86 08:40:11 pst Subject: Unequivocal Confirmation of Detonation > That is not a fundamental limitation. The President's airplane can > stay aloft for 72 hours. If we wanted to keep the bombers aloft for > 24 hours, we could. (Besides, B52's *have* been kept in the air for > about 24 hours.) They've been kept aloft much longer than that... given adequate tanker support. A late-model B-52 can stay airborne about 24 hours *without* refuelling (despite aircraft and engines both being 20 years obsolete), but at the end of that its tanks are dry and it goes down. None of the tankers can come anywhere near that performance, however. Furthermore, my impression is that very little of the tanker force is normally on runway alert, which means the tankers get destroyed on the ground. Even those that get off haven't the payload and endurance to be very useful unless they can land and refuel somewhere. The best of the tankers -- the KC-10s and the re-engined KC-135s -- might be able to stay up 12 hours and offload a modest amount of fuel, after which they go down. So they might be able to leave a small number of B-52s with full tanks at the 12-hour mark, which will suffice for a one-way mission with the "go" order at the 24-hour mark. That is about the last time it can be given, since the E-4B carrying the president will run out of fuel before much longer even if it tanked up at the 12-hour mark. It has enough oil and minor consumables for 72 hours, but for fuel it's a normal 747, good for maybe 12-15 hours unless refuelled. No tankers after X+12 means no E-4B after about X+24. Ditto for Looking Glass, Tacamo, etc. If the B-52Hs were re-engined with modern engines, they would probably have an unrefuelled endurance of 36 hours or so, making the idea rather more feasible. A B-52 built with modern technology throughout might reach 48 hours or more, but it's unlikely that anything like that will be done. It's a little pointless, anyway, since the airborne command posts have so much less endurance. Related thought: if the B-52s and B-1s get airborne under attack, a large percentage of the surviving bomber crews will be able to personally verify nuclear explosions on US soil. They don't scramble that fast; they will know about it when the base behind them gets blasted. How good are the bomber -> command communications? (Communications systems intended for "go" orders aren't necessarily two-way.) Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry ------------------------------ Date: Tuesday, 28 October 1986 10:48-EST From: LIN To: RISKS-LIST:, Douglas Humphrey <deh at ENEEVAX.UMD.EDU> cc: risks at CSL.SRI.COM, arms-d Re: Perfection From: Douglas Humphrey <deh at eneevax.umd.edu> To LIN : In response to a message, you state that none of the anti-SDI folk ever stated that the software had to be perfect. I have heard constantly in both the widely read (Washington Post) and limited (?) distribution industry media (Aviation Leak and Space Mythology) SDI critics that conte[x]t that it must be perfect or it is useless. I don't bel[ie]ve this, and I would hope you don't either, but saying that the whole must be perfect certainly implies that the parts must be perfect. Please give a citation. The only place I have ever seen a statement about required "perfection" came in an article written by James Fletcher, of the Fletcher Commission, who clearly states that "an enormous and error-free program" would be required. Fletcher hardly counts as a critic. [I held this one up hoping for a response... PGN] I don't deny that you have heard what you say you have heard, but the only inference I can draw is that neither the Post nor AWAST have correctly reported the critics' position. What critics DO say is that you can never know if BMD software will work in the absence of realistic testing. KNOWING that a program will work properly without error is a different, and more demanding, condition than whether or not it *actually* will if put to the test. Moreover, critics do not have faith that it is possible to predict all of the ways that the Soviets might attack; we do believe that the Soviets *might* be able to attack in a way that would result in catastrophic failure. On the general issue of "perfection", critics believe that the statement of mission requirements comes from the President of the United States and the Secretary of Defense, who assert that SDI is a way to protect everybody against nuclear ballistic missiles. They get funding from Congress on that claim, and they present it to the American people that way. If they want to use it for something else, such as improving the ability of the U.S. to retaliate, then let them say so. Until the proponents admit POLITICALLY that their goal is infeasible, critics have a responsibility to confront them with their fallacies. You may acknowledge that their goal is infeasible, in which case we can argue about what goals are feasible, but you are not the President. If you want to criticize someone for asserting perfection, dump on the highest levels of the Administration, because they are the ones that set the terms of the debate. ------------------------------ Date: Saturday, 8 November 1986 20:45-EST From: cfccs at HAWAII-EMH To: ARMS-D Re: defenses, first strike Let me see if I have all this down correctly. Our current system of defense (and that of the Soviet Union) cannot be 100% incapacitated because of the mobility of some of the components (subs and possible bommbers). This effectively means that if either side launches a first strike and successfully destroys the main forces of the other, there will still be enough left to destroy the population of the attacker. This logically leads to the assumption that neither side will launch a first strike unless they can be sure of their own self preservation. On the other hand, there is always the chance of an accident or irresponsible entity (terrorist or terroristic country?) who has nothing to lose, getting a nuclear weapon capability and using it indiscriminately. It seems that no amount of retaliation will deter a fanatic who has already decided to give up his life for his cause. This brings us to the SDI issue. I have heard many complaints that the technology does not exist to develop a 100% effective defense. That may or may not be true depending on the expert you listen to. The fact exists that unless something is tried, it cannot be realized (gained?). The SDI system will be developed in phases or versions. Each will be an improvemnet using newer technology. Each will reach new goals which will have been set based on the capabilities and requirements of the day. This is the way a system of such magnitude is designed. Not a one-time failsafe cure-all. I am really surprised at some of the informed experts who have thumbed their noses at developing this new direction in technology because "...it can't be done". The history books are littered with the names of 'experts' who were quoted saying those very words shortly before the 'impossible' became 'reality'. The only thing I can think of that could be motivating these people to speak out against moving *toward* this technology is politics. They must have a vested interest in the present system and don't want to see their own cart of apples upset. Anti-nuclear technology may be the only way to make nuclear weapons obsolete. Banning them won't do it because they already exist. Making them illegal means only the law breakers will develop them. I know that what we have all heard about SDI will not cure all the ills of nuclear weaponry, but isn't it a start? What is the alternative? Gary Holt CFCCS AWAII-EMH ------------------------------ Date: Sun, 9 Nov 1986 16:07 EST From: LIN@XX.LCS.MIT.EDU Subject: defenses, first strike From: cfccs at HAWAII-EMH Let me see if I have all this down correctly. Our current system of defense (and that of the Soviet Union) cannot be 100% incapacitated because of the mobility of some of the components (subs and possible bommbers). Actually, you would be hard pressed to destroy all of the fixed land-based missiles too. How many would be left is a different question. Even 100 surviving missiles (out of 1000) would be rather potent. This effectively means that if either side launches a first strike and successfully destroys the main forces of the other, there will still be enough left to destroy the population of the attacker. This logically leads to the assumption that neither side will launch a first strike unless they can be sure of their own self preservation. Right. That is the theory. On the other hand, there is always the chance of an accident or irresponsible entity (terrorist or terroristic country?) who has nothing to lose, getting a nuclear weapon capability and using it indiscriminately. It seems that no amount of retaliation will deter a fanatic who has already decided to give up his life for his cause. True. But you have capabilities to determine who is about to do that. Libya? They won't get them very quickly or very soon, and in that case (how likely is a Libyan ICBM?) we launch a pre-emptive strike on them. You can certainly construct scenarios now in which the Soviet Union is ruled by a madman, but you have to describe how that could happen from the world we live in now. This brings us to the SDI issue. I have heard many complaints that the technology does not exist to develop a 100% effective defense. That may or may not be true depending on the expert you listen to. The fact exists that unless something is tried, it cannot be realized (gained?). Hardly. Would you support research into perpetual motion? Into immortality? Into psychokinesis? Maybe in a world with unlimited funding, you would, but this isn't that world. The history books are littered with the names of 'experts' who were quoted saying those very words shortly before the 'impossible' became 'reality'. But the fact that experts have been wrong doesn't mean that experts are wrong now. N-rays, telepathy, spontaneous generation were all laughed at by some, and they have been consigned to the scrap heap. The only thing I can think of that could be motivating these people to speak out against moving *toward* this technology is politics. They must have a vested interest in the present system and don't want to see their own cart of apples upset. Some of us don't like to see scarce resources wasted when there are so many more pressing problems with higher odds of success. Making them illegal means only the law breakers will develop them. I know that what we have all heard about SDI will not cure all the ills of nuclear weaponry, but isn't it a start? What is the alternative? The alternative is to work on problems that we have a chance of solving. Some research on SDI stuff is warranted, in my view. But it should be put into the very-long-shot category. Making it the centerpiece of U.S. policy is not the thing to do. ------------------------------ Date: Sunday, 9 November 1986 10:57-EST From: The Computer is your friend! <"NGSTL1::SHERZER%ti-eg.csnet" at RELAY.CS.NET> To: arms-d Re: Unequivocal confirmation of detonation X-VMS-To: SKACSL::IN%"lin%xx.lcs.mit.edu@csnet-relay" >> From: <"NGSTL1::SHERZER%ti-eg.csnet" at RELAY.CS.NET> >> Given that we have a place for tankers to land and refuel, we can keep >> SOME of the bombers in the air for 24 hours. This means the use of >> airfields which will not exist after the Soviet attack so it is not >> feasable in this situation. Also, the time needed is more like 36 hours >> (they still need to fly to the USSR). After talking with a firend >> who is a retired tanker navigator, I was assured that it is not >> possible to keep the tanker and bobmer force aloft for the 24 hours >> (much less the actual 36 hours). >> So, after 24 hours, we have no land based ICBM's, no bombers, some >> (exact number unknown) of subs. We also have no way to order the >> retaliation (because of no C3). > I agree we can't keep the entire force in the air for 24 hours. But > as you note, we can keep some of it in the air for that long. > Submarines are capable of launching without a go-code. That is still > a formidable force. You misunderstand what I said. The tankers cannot keep THEMSELVES (not to mention the bombers) in the air for 24 hours. This means that NONE of the bomber force would survive. As to the sub. force, how do they launce without a go-code? Do they launch if they fail to make contact with the outside world? That means the first sub with a broker receiver could start WWIII. Do they surface and try to make contact that way? If so, that would make them very vunerable. Finally, the reason we have the triad is to pervent an advance in some capability from destroying all our capabilities. This policy (wait 24 hours) would put all our eggs in one basket. It the Soviet ASW capability ever gets a lot better (or is better than we think from unclassified sources), our entire strategic force would be eliminated. Allen Sherzer sherzer%ngstl1@ti-eg.csnet ------------------------------ Date: Sun, 9 Nov 1986 16:27 EST From: LIN@XX.LCS.MIT.EDU Subject: Unequivocal confirmation of detonation From: "NGSTL1::SHERZER%ti-eg.csnet" at RELAY.CS.NET> You misunderstand what I said. The tankers cannot keep THEMSELVES (not to mention the bombers) in the air for 24 hours. This means that NONE of the bomber force would survive. But they could. There is no intrinsic reason that a tanker cannot itself be refueled in the air. As to the sub. force, how do they launce without a go-code? Do they launch if they fail to make contact with the outside world? That means the first sub with a broker receiver could start WWIII. Do they surface and try to make contact that way? If so, that would make them very vulnerable. Subs are capable of launching without a go-code. That means that even in the absence of orders to launch, they can do so. That takes care of your objection about submarines. You raise other questions, which I will address, but note that the submarines are still potent. I have spoken to a couple of submarine officers. They have said that they are under orders to wait, and then try to monitor other radio traffic. In a pinch, they have orders to go back to the base to look. A submarine has many ways of getting information from the world, even without surfacing. Even if it does, the ocean is a big place, and poking an antenna above the water for 10 seconds is not likely to be seen. the reason we have the triad is to pervent an advance in some capability from destroying all our capabilities. In the event that the Soviets achieve a significant ASW advance, then I will rethink the policy. In the meantime, we should concern ourselves with what is true now. .... It the Soviet ASW capability ever gets a lot better (or is better than we think from unclassified sources), our entire strategic force would be eliminated. The Navy has categorically stated that the present SSBN force is not vulnerable to current Soviet ASW. While they may elaborate on this in classified testimony, they will not flatly contradict it. ------------------------------ End of Arms-Discussion Digest *****************************