The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 80

Sunday 8 May 1988


o Yet another SSN risk
Tom Lord
o Risks of banking
Ritchey Ruff
o "Auftragstaktik"
Gary Chapman
o Info on RISKS (comp.risks)

yet another SSN risk

Tom Lord <>
Fri, 6 May 88 13:26:55 -0400 (EDT)
Promises from your personel department are almost certainly not sufficient
to protect your Social Security number.  Such a promise presumes that the
department will have good control over its own records and, at least here at
CMU, this is not true.  This morning on my way into the office a box of
trash outside the machine room caught my eye.  The box was full of course
schedules listing each course, its classroom, its instructor, and the
instructor's SSN.  My guess is that something went wrong with the printer as
the job was printing, and that the operators tossed the partial output and
started over.

Risks of banking

Ritchey Ruff <>
Sat, 7 May 88 10:24:51 PDT
I belong to a credit union (which will remain unnamed for obvious reasons
below) and got the following notice in my end of month statement.  I'll
refer to the credit union as <CU> when ever their name appears in the
flier...  I am typing it in verbatim because of the numerous RISKS issues
bundled in this little flier, including:  SSN's, manuals and instructions,
misinformation, etc.  The CAPS are to represent either bold or caps in the
original.  The format is as close as I could come to exactly the flier, and
many of the typos are really in the flier (I proof read it 3 times to try
to remove all MY typo's ;-).  This should get some RISK dander up!!!

            <CU>'s Audio Teller

* ILLY - Audio Teller
    "Illy" is <CU>'s AUDIO TELLER.  You are "talking" directly to our 
    computer system by simply pushing buttons on the keyboard of your 
    Touch Tone phone!

    Every member has a personal security code.  Your security code is 
    the last four digits of your social security number.  Only you and 
    the computer know this number.  If you need to change your number, 
    you must request this in writing. No numbers will be changed by phone.

* Available hours
    Financial transactions: 7:00 a.m. to 5:30 p.m.
        During this time you are able to perform your own FINANCIAL 
        transactions.  You can transfer funds, request a withdrawal 
        check be mailed, or transfer a loan payment from your share 
    Inquiry Transactions: 7:00 a.m. to 5:30 p.m. and 
                  9:00 p.m. to 7:00 a.m.
        During this time you can check your share balance, inquire 
        if a certain share draft-check has been paid, or inquire on 
        your loan balance.

* How to use ILLY
    1) <state> residence dial: (xxx) xxx-xxxx


Gary Chapman <>
Fri, 6 May 88 10:10:00 PDT
This is a follow-up to one of Henry Spencer's messages, the one about the
German Army's emphasis on personal initiative among its military officers.
However, this is on a different tack than Henry's message about

There was a German term for giving a lot of personal initiative,
responsibility, and autonomy to front-line commanders:  the word is
"Auftragstaktik."  This was actually a product of the closing days of World
War I, and then found its way into training of the German officers in the
inter-war years.  The two most outstanding practitioners and advocates of
"Auftragstaktik" were Generals Guderian and Rommell, two of the more
successful Wehrmacht commanders.

What makes this term relevant and interesting today is that its precepts have
been rediscovered by the American Army in the 1980's.  The (relatively) new
U.S. Army doctrine known as AirLand Battle doctrine is explicitly derived from
the German blitzkrieg, and the authors of the new doctrine recognized how
critical "Auftragstaktik" is to the success of the blitzkrieg.  Consider the
following statement from Colonel Huba Wass de Czege, one of the authors of the
1982 Field Manual 100-5 which instituted AirLand Battle doctrine:

  The second important realization was that the chaos of the next battlefield
  will make centralized control of subordinates always difficult, sometimes
  impossible.  This led to the incorporation of a doctrine of command and 
  control which features decentralization of decisions by the use of mission 
  orders similar to that used by the Wehrmacht early in World War II.  This 
  style of leadership is called Auftragstaktik by the Germans.  ("Army
  Doctrinal Reform," in Clark, Chiarelli, et al., eds., *The Defense Reform 
  Debate: Issues and Analysis*, Johns Hopkins University Press, 1984, p. 107.)

"Auftragstaktik" has been the subject of numerous articles in various military
journals, most often in *Military Review*, the military's chief publication of
scholarly writing, where it has been celebrated as a long overdue reform from
the Army's traditional, set-piece, "engineer" model of the line combat officer.

What makes this interesting in terms of computer technology is that so much of
the computer development that has been undertaken in programs like DARPA's
AirLand Battle Management System seems to run completely counter to this trend
in the Army.   The AirLand Battle Management System is meant to provide
centralized control of combat operations at the corps level--a corps is the
next larger unit above a division--and the original DARPA plans wanted
electronic accountability down to the individual soldier and vehicle.  The
AirLand Battle Management System is supposed to be a huge expert system that
analyzes a battle in progress, makes recommendations of tactics, issues orders
to subunits, watches the battle in real time through vast sensor and satellite
networks, and continues to update the corps commander with new information,
recommendations, and so on.  This is exactly the opposite of what
"Auftragstaktik" entails.

The other worrisome aspect of "Auftragstaktik" in American doctrine is the wide
dispersion of nuclear devices in the U.S. Army in Europe.  Once the INF Treaty
pulls out Pershing 2s and GLCMs, the nuclear devices that will be left in the
U.S. Army arsenal in Europe will all be short-range weapons like nuclear
artillery shells and mines.  A doctrine which gives the "commander on the spot"
maximum authority for initiative and autonomy, combined with the availability
of short-range nuclear weapons, is something that worries a lot of people,
particularly the West Germans.

Finally, one of the most interesting things to watch in the military
establishment is the really severe conflict of interests between technophile
civilian managers and planners (usually people from the defense industry or
academic backgrounds) versus the traditional line military officers.  When I
give talks about autonomous weapons, automated command and control systems,
AirLand Battle Management, etc., and there are line officers in the audience,
their reaction is almost as viscerally angry as that of peace activists.  On
the other hand, my arguments against these systems (which are generally focused
on their risk) are characteristically dismissed by civilian planners and
managers as a smokescreen attempting to hide an agenda of "unilateral
disarmament," with everything that allegedly entails.  There is a lot of
self-aware and well-developed antipathy to technical solutions on the part of
the line officers, but not very much awareness of (or apparently even interest
in) this antipathy on the part of civilian managers and planners.  This gulf of
communication and the disparity in interests are likely sources of a lot of
confused policies in our military, and confused military policies bear a
significant degree of risk all by themselves.

As an aside, the material I have on the contradictions between AirLand Battle
doctrine's "Auftragstaktik" and the trends in computer systems meant to support
new military doctrine got cut out of *Computers in Battle* because it made my
chapter too long.  Most of the material can be found in my two-part article in
the Fall 1985 and Winter 1986 issues of *The CPSR Newsletter*, "AirLand Battle
Doctrine and the Strategic Computing Initiative."

Gary Chapman, Executive Director, CPSR     

Please report problems with the web pages to the maintainer