ARMS-D-Request@XX.LCS.MIT.EDU (Moderator) (08/26/86)
Arms-Discussion Digest Monday, August 25, 1986 10:21PM Volume 7, Issue 6 Today's Topics: administrivia Dyson's "Weapons and Hope" Duel Phenomenology: Computers + Computers = Computers ---------------------------------------------------------------------- Date: Mon, 25 Aug 1986 17:21 EDT From: LIN@XX.LCS.MIT.EDU Subject: administrivia Message failed for the following: Pancari@SRI-KL.ARPA: 550 No such local mailbox as "Pancari", recipient rejected Someone at SRI please delete this guy. Thanks. ------------------------------ Date: Mon, 25 Aug 86 13:50:50 pdt From: Steve Walton <ametek!walton@csvax.caltech.edu> Subject: Dyson's "Weapons and Hope" I just started reading this book, and I am already quite impressed with it. Dyson's declared purpose in writing the book is to explain the point of view of Helen Caldicott to the generals in Washington and vice versa. To this end, he attempts to find common ground between the two groups' arguments--not to resolve them, but only to get them to debate using the same terms to mean the same thing. To some extent, he is guilty of automatically splitting the difference, but for the most part he seems to succeed in his purpose. One example: he has read both Jonathan Schell's "The Fate of the Earth" and Government reports on civil defense. Both argue from impeccable sources and come to opposite conclusions with regard to the ultimate fate of post-nuclear-war humanity. Dyson comes to the following conclusions: (1) The generals and the peace activists are talking about two different timescales (this is fundamental); Dyson does not believe that a single nuclear exchange would wipe out humanity, but he believes that the first one would lead to a kind of collective insanity resulting in a series of 10 or so nuclear wars which *would*. (2) There is nothing wrong with civil defense, but since the number of lives lost in a nuclear exchange have such uncertainties, planners shouldn't be allowed to assign a "number of lives saved" value to a given civil defense action. He comments in passing that if the children of Hiroshima had been taught to dive under their desks, many of them would have avoided serious burns. He defines in the beginning of the book 13 questions which he thinks should form the basis for the debate. Number 13 is, "Do we want to live in a nuclear-free world with its attendant dangers?" The following is not quite a direct quote, but is close (I don't have the book handy): By "nuclear free world" I do not mean one in which all nuclear weapons have magically vanished and from which all knowledge of how to make them has been erased by a supernatural power. I mean one in which, after long and arduous negotiations supported by an aroused public opinion, the nuclear powers have agreed to destroy their nuclear weapons; delivery systems and declared stockpiles of warheads have been destroyed under supervision; in which a large but imperfect verification system is in place; in which the possible existence of a few hundred hidden warheads cannot be excluded; and in which the knowledge of how to assemble nuclear weapons is widely disseminated. It is not clear that such a world would be more risk-free than the one we live in now. I believe that such a world has important political and social advantages, however, which make it a worthwhile goal. This line of reasoning leads him to support SDI (as I heard him say in a talk at Caltech in 1984) as defense against those "few hundred" hidden warheads. He estimates that defenses built with existing technology would be a factor of 1,000 shy of perfect; a crash research program might improve them by a factor of 30, and if that is combined with reduction in the sizes of arsenals by a factor of 30, then we do have essentially perfect BMD. Furthermore, a factor of 30 reduction is a good figure for the US and USSR to set as a goal because it would reduce the size of their arsenals to roughly the same size as the British, French, and Chinese nuclear forces. Reduction to zero than becomes a multilateral rather than a bilateral problem, and hence much more difficult. All of this makes a hell of a lot of sense to me, and I think both the "hawks" and "doves" out there should read his book if they haven't already. If we can all come up with an agenda based on Dyson's ideas and our own, the people on this net probably have enough clout to bring it before the public. A postscript: One of Dyson's other questions deals with whether you should work within the system or outside it. His answer again is based on timescales. In the short run, you clearly have more influence within the system. But revolutionary change in the system's assumptions (such as the abandonment of nuclear weapons) can only come about by outside pressure. Stephen Walton, Ametek Computer Research Division ARPA: ametek!walton@csvax.caltech.edu BITNET: walton@caltech UUCP: ...!ucbvax!sun!megatest!ametek!walton ------------------------------ Date: Mon, 25 Aug 86 17:36:15 PDT From: Clifford Johnson <GA.CJJ@Forsythe.Stanford.Edu> Subject: Duel Phenomenology: Computers + Computers = Computers The digest being quiet, I thought I'd send this response to a question I left unanswered as to why I think "dual phenomenology" is about as dual and sane as the two notes of a "cuckoo." Figure 1 is a launch under attack timeline, and Figure 2 is a launch under attack decision tree produced by RAND but commissioned by the DOD. Comments/criticisms welcome. "LAUNCH UNDER ATTACK" IS LAUNCH ON WARNING, AND DUAL PHENOMENOLOGY IS NEITHER DUAL NOR SAFE The Report of the President's Commission on Strategic Forces, which was headed by Lt.-General Brent Scowcroft (April 1983), appended a doomsday dictionary, including: > LAUNCH ON WARNING - > This phrase is now usually, but not universally, used to mean launch > of missiles after one side received electrical signals from radars, > infra-red satellites, or other sensors that enemy missiles are on > the way, but before there have been nuclear detonations on its > territory. "Launch under attack" is sometimes used interchangeably > with "launch on warning" and sometimes used to designate a launch > after more confirmation has been received, such as indications that > detonations have been received. > LAUNCH UNDER ATTACK - > See "Launch on Warning." Note how "launch under attack" is NOT synonymous with "launch after first detonation." As shown in Figure 1 below (from Automated War Gaming As A Technique For Exploring Strategic Command And Control Issues, RAND N-2044-NA, 1983), "Launch Under Attack" is a time period beginning immediately after Soviet launch, and therefore embracing launch on warning. Yet, year after year, time is wasted in vital congressional hearings by the DOD's disinformative almost-denials that launch under attack includes launch on warning.[1] The reality is that the DOD's wrongly-named launch under attack capability is correctly called a LOWC, for two very good reasons: unless launch is effected before the explosion of incoming missiles, thereafter the missiles can be "pinned down" in their silos by explosions in their flight corridors;[2] and, more urgently, launch orders must be issued by the NCA before the NCA is destroyed. Likewise, as pointed out in the paper by Robert C. Aldridge (Background Paper on the Probability of a United States Launch on Warning Policy) "dual phenomenology" generates an ATTACK condition when two purportedly independent and consistent WARNING signals are received. Dual phenomenology was well-explained by former Under Secretary of Defense for Research and Engineering William Perry (Next Steps in the Creation of an Accidental Nuclear War Prevention Center, Center for International Security and Arms Control, Stanford, Oct. 1983): > The nuclear posture of the two superpowers today is like two people > standing about six feet apart, each of whom has a loaded gun at the > other's head. Each has his revolver cocked and his finger quivering > on the trigger. To add to the problem, each of them is shouting > insults at the other... the most realistic risk posed by nuclear > weapons is the risk of a nuclear war by accident or by > miscalculation... In the summer of 1979, I was awakened by a call > from a duty officer at the North American Air Defense Command > (NORAD) who told me that the NORAD computers were indicating that > 200 missiles were on their way from the Soviet Union to the United > States. That incident occurred about four years ago, but I remember > it as vividly as if it had happened this morning... if this event > had occurred at a time of political tension, if the human > intervening had not been as thoughtful as the officer on duty that > night, and if the data had been more ambiguous, it could have led to > a missile alert. [This phraseology is odd, since missile crews > WERE alerted.] In short, a coincidence of a number of unlikely > events could lead to a missile alert... If [the President] believed > that our national security required him to launch our forces based > only on a computer alert -- "launch-on-warning" -- a false alert > could lead to a nuclear war being triggered accidentally... > Unfortunately, many of the actions that would reduce our likelihood > of false alarm increase the likelihood that we will fail to launch > when we should, and vice-versa. For example, our alerting system > today considers that an attack is underway only if two independent > sensors have confirmed an attack. Therefore, if the probability of > one of them being in error [giving a false alarm] is one in a > thousand and the probability of the other being in error also is one > in a thousand, then the probability that they will both give a false > alarm at the same time -- assuming they are truly independent -- is > one in a million... it is sometimes argued that we can improve > timeliness of response by getting faster computers an by eliminating > the human evaluation phase of calling an alert. The above argument ignores the facts that: such "one in a million" probabilities are faced all day and every day, and are not representative of annual probability totals; the volatile complication of Soviet countersystems greatly amplifies the technological risk; and errors from two types of sensor (infra-red and radar) are certainly not independent, for innocent flying objects, such as meteors, could register on both. Nor is the safety problem fundamentally alleviated by implementation of statistical recognition and correlation algorithms, which have the effect of removing whatever phenomenological duality the system might possess; instead of infra-red and radar sensors evaluated by humans, the system thereby becomes computers and computers validated by computers. Already, technology provides programs that correlate attack reports from several sensors, using such tools as a "chi-square statistic to test equality of vector means hypothesis," which, besides wrongly assuming independence, optimistically "assumes normal distribution error model." Worse, the programs are primarily driven by "maximum likelihood" techniques which presumptively induce the most likely - or least unlikely - set of ballistic missile tracks from whatever phenomenum registers.[3] The unavoidable reality is that for prompt tactical warning, computers must correlate much diverse information and display conclusions in a simple fashion; and, to be at all credible, the system must be capable of generating warning conditions even when some sensors are not functioning. In General Herres own words: "And, you might lose some information, but the fact of its loss is warning in itself. You get that combined with information you are receiving from other nodes to tell you a lot of what you need to know." (Armed Forces Journal, Jan 1986, at 59.) This neatening-up process, called data or sensor fusion, is itself a dangerous potential source of error, and is depicted in Figure 2 below (from same source as Figure 1). Note that the depicted "high alert" LOWC (which could itself have been created by a satellite warning) would operate on satellite or radar warning ONLY in the event of one type of sensor being destroyed. What occurs is a sort of voting process where satellites and radars are polled, and where it is expected that not all sensors will be operational by virtue of the enemy's attack. The "yes/no" structure is consequently modified into a probabilistic certain-versus-likely set of votes, which is then logically summed, as explained in Scenario Agent: A Rule-Based Model Of Political Behavior For Use In Strategic Analysis, RAND N-1781-DNA (1982),[4] under the heading "QUALITATIVE CERTAINTY": > It has been argued that rules with conjunctive phrases (connected by > "and") in their left hand (condition) side contain certainty value > equal to the minmum of the certainty values associated with the > phrases. For example, if the rule is > if x and y, then z > and x is "certain" and y is "likely," then z is "likely." > However, rules with disjunctive phrases (connected by "or") in > the left hand side contain information of value equal to > the maximum of the certainty value associated with the phrases. > Thus, if x is "certain" and y is "likely," we would infer from > if x or y, then z > that z is certain. Replacing x by the phrase "satellite warning," and y by the phrase "radar warning," the above logical computation could read if satellite warning or radar warning, then attack warning In this context "certain" could correspond to a positive warning from a satellite sensor, and "likely" could correspond to "loss of signal" from a radar. By such reasoning, dual phenomenology is logically less than dual. Although the the DOD is careful to affirm that only an UNAMBIGUOUS warning can generate an attack condition, this assurance loses meaning once it is realised that the DOD's warning assessment computer programs automatically resolve ambiguities. Indeed, "disambiguation" is a program goal defined as "Selecting from alternative interpretations the one most appropriate in the given context... One approach is to use general heuristics for transforming incorrect expressions into well-formed ones."[5] The disambiguation concept is directly applied to sensor fusion in Future Military Applications For Knowledge Engineering, RAND N-2102-1-AF (1985), at 28-31: > As new technology is introduced to the battlefield, the critical > response times required for decisions are growing shorter at all > levels of the command hierarchy. Communications devices and control > hardware are constantly being improved to meet this demand, but the > human elements of the system are unable to change their timing > characteristics... The confluence of increasing data flow rates > from advanced sensors, the growing need for speed, and the necessity > for flexibility calls for increasing levels of automation of this > facility. Computers must take on tasks which were originally done > by humans... Among the potential applications of knowledge > engineering ... is the use of expert systems to assist > decisionmakers... Sensor fusion involves correlating, merging, and > interpreting the inputs from distributed sensors in the field. > Network management systems would be electronic agents, charged with > the responsibility of managing the C3 resources in response to > varying load, shifting priorities, and possible hostile > interference. A wide variety of sensors may be used in the > identification and disambiguation... Combination of sensors may be > employed to yield information not available from any single > source... Intelligent systems could process the raw data, using > knowledge about how the information is best utilized, and present > refined conclusions to the human components of the system... The > fusion application is sensitive to countermeasures based on > deception and would profit from further theoretical work on > decisionmaking in uncertain, and in fact, hostile circumstances. > The penalty for errors by a sensor fusion system increases with the > level of conclusion drawn... Of particular concern is that the > compromise of such software would allow the enemy to design > countermeasures tailored for its specific fusion heuristics. Thus > it will be critical that human operators remain "in the loop," able > to monitor and override system components as desired. Sensor fusion systems thus comprise statistical algorithms, implemented in software, that can be compromised. This gives rise to a threat of malicious, besides accidental, false alerts, which can never be eradicated, as reported in the OTA/LUA report: > (T)o launch silo-based ... missiles before attacking Soviet > (missiles) could destroy them ... is called launch under attack > (LUA)... The United States now preserves the capability to LUA as a > matter of stated doctrine... To guarantee the LUA capability > against some contingencies it might be necessary to adopt > unpalatable procedures regarding, for instance, delegation of launch > authority. No matter how much money and ingenuity were devoted to > designing safeguards for the U.S. capability to launch under > attack... it would probably never be possible to eradicate a > lingering fear that the Soviets might find a way to sidestep them. > Finally, despite all safeguards, there would always remain the > possibility of error, either that missiles were launched when there > was no attack, or that they failed to launch when the attack was > genuine... There are two risks of error in a basing system of > reliance upon LUA: the risk that launch would take place when there > was no attack, and the risk that launch would fail to take place > when there was an attack. Insofar as technology is concerned in the > assessment of these risks, one can in principle make arbitrarily > small the probability that electronic systems by themselves make > either kind of error, though beyond a point efforts to decrease the > chance of one error could increase the chance of the other... The > risk of error for an LUA system would seem highest when the human > being's ability to make highly structured errors combines with the > machine's limited ability to correct them. Mistakenly initiating a > "simulated" attack by, e.g., loading the wrong tape into a computer, > would be an error of this type. It is obviously not possible to set > and enforce a bound on the probability that such an error would > occur in a LUA system.[6] The launch on warning character of the launch under attack label is implicit in Figure 2, which, as noted above, treats the algorithm for generating a computer declaration of attack from sensor inputs. Even though entitled "A Simplified Logic Tree For Red's Assessment Of Blue's Ability To Launch Under Attack," this Figure proves the impossibility of verifying a seemingly sound and necessarily computerized attack warning. To manually check-out such tree-inference structures in a minute is out of the question, and note that the report states this is a "somewhat oversimplified" diagram. Note futher that on the June 1980 occasion when a single bad computer chip generated false attack warnings, despite the clear flag provided by registers clocking streams of the digit '2,' it took a recurrence of the problem and some two weeks of intensive investigation to discover the cause: > One bit of evidence was that the displays showed anomalies in that > there were a lot of '2's -- 20, 200, 220, 2000, 2200, etc. It > was a very anomolous indication since it was dominated by a series > of 2's. Following the event, my computer analysts worked 40 > straight hours, but could not determine the cause of the fault. > (General Hartinger, NORAD's C-in-C, Senate Armed Services Cmt., DOD > Appropriations FY 1982 hearings, p.4222, and Failures Of The NORAD > Attack Warning System, House Government Operations Subcommittee > hearing, May 1981, at 117.) However programmed, it is clear that, in order to ensure any chance of working in a real attack situation, sophisticated logical computations must be factored into the sensor fusion task. The consequences of performing "or" operations rather than "and" operations; or of confusing a "not not" with a "not not not," and so forth, in a computer system performing millions of such operations per second, is surely appreciated by a anyone schooled in the application of linguistics to the resolution of human conflict. NOTES: [1] For example: Gen. DAVIS: But certainly launch on warning could be very destabilizing. Launch under attack, there are many interpretations of that, but one interpretation of that is, of course, nuclear weapons are going off in our country, and certainly a reason to retaliate, which is launch under attack... Sen. NUNN: Well, does that mean that you have modified your position and that launch under attack is now acceptable? Gen. DAVIS: Let me characterize it as a prompt response. Now, launch under attack, certainly it must mean you are being attacked. Sen. NUNN: Your definition of launch under attack is, as you have just defined it, is that we would have already sustained damage, that the bombs would have already gone off? Gen. DAVIS: One or many, yes. [2] The report MX Missile Basing, OTA, 1984, Ch.4 "Launch Under Attack," hereafter the OTA/LUA Report (the definitive public report on LOWCs) makes this clear (at p.150 - see also p.156): Speaking roughly, receipt of a launch message or Emergency Action Message by the missile force as late as a few minutes before Soviet (missiles) arrive would be sufficient to guarantee safe escape of the missiles. This brief time would be accounted for by the time taken for the EAM to be transmitted to the missile fields, decoded, and authenticated; the time taken to initiate the launch sequence; the time from first missile takeoff to last; and the time needed for the last missile to make a safe escape from the lethal effects of the incoming (missiles). Thus, the time available for ICBM attack assessment and decisionmaking would be the half-hour flight time minus this small time period. (But) Soviet submarine-launched (missiles) targeted at command posts and communications nodes could arrive earlier than the ICBMs. [3] See Command, Control, Communications, and Intelligence, supra, at p.220, and Launch Under Attack To Redress Minuteman Vulnerability? by Richard Garwin in International Security, Winter 1979, at 134. [4] See also Inferno: A Cautious Approach To Uncertain Inference, RAND N-1898, 1982. [5] Machine-Aided Heuristic Programming: A Paradigm For Knowledge Engineering, RAND N-1007-NSF (1979), at vi,34. [6] The false alerts (=threat assessment conferences held) over the past years total: 1977: 43 1978: 70 1979: 78 1980: 149 1981: 186 1982: 218 1983: 255 1984: 153 (Source: NORAD public affairs office; data after 1984 kept secret.) To: ARMS-D@XX.LCS.MIT.EDU ------------------------------ End of Arms-Discussion Digest *****************************