The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 3 Issue 64

Wednesday, 24 September 1986


o Sane sanity checks / risking public discussion
Jim Purtilo
o More (Maybe Too Much) On More Faults
Ken Dymond
o Re: Protection of personal information
Correction from David Chase
o Towards an effective definition of "autonomous" weapons
Herb Lin
Clifford Johnson [twice each]
o Info on RISKS (comp.risks)

Sane sanity checks / risking public discussion

Jim Purtilo <>
Tue, 23 Sep 86 12:54:10 EDT
  [Regarding ``sanity checks'']

Let us remember that there are sane ``sanity checks'' as well as the other 
kind. About 8 years ago while a grad student at an Ohio university that 
probably ought to remain unnamed, I learned of the following follies:

The campus had long been doing class registration and scheduling via
computer, but the registrar insisted on a ``sanity check'' in the form of
hard copy.  Once each term, a dozen guys in overalls would spend the day
hauling a room full of paper boxes over from the CS center, representing a
paper copy of each document that had anything to do with the registration
process.  [I first took exception to this because their whole argument in
favor of "computerizing" was based on reduced costs, but I guess that should
be hashed out in NET.TREE-EATERS.]

No one in that registrar's office was at all interested in wading through
all that paper. Not even a little bit.

One fine day, the Burroughs people came through with a little upgrade to the
processor used by campus administration.  And some "unused status bits"
happened to float the other way.

This was right before the preregistration documents were run, and dutifully
about 12,000 students preregistration requests were scheduled and mailed
back to them.  All of them were signed up "PASS/FAIL".  This was
meticulously recorded on all those trees stored in the back room, but no one
wanted to look.

I suppose a moral would be ``if you include sanity checks, make sure a sane
person would be interested in looking at them.''

  [Regarding break-ins at Stanford]

A lot of the discussion seems to revolve about ``hey, Brian, you got what
you asked for'' (no matter how kindly it is phrased).  Without making
further editorial either way, I'd like to make sure that Brian is commended
for sharing the experience.  Sure would be a shame if ``coming clean'' about
a bad situation will be viewed as itself constituting a risk...

               [I am delighted to see this comment.  Thanks, Brian!  PGN]

More (Maybe Too Much) On More Faults

"DYMOND, KEN" <dymond@nbs-vms.ARPA>
23 Sep 86 09:18:00 EDT
The intuitive sense made by Dave Benson's argument in RISKS 3.50, that

  >We need to understand that the more faults found at any stage to
  >engineering software the less confidence one has in the final product.  
  >The more faults found, the higher the likelihood that faults remain.

seems to invite a search for confirming data because there are also counter-
intuitive possibilities.  For example there is the notion that the earlier
in the life cycle errors are detected, the cheaper to remedy them.  There is
a premium on finding faults early.  And the further notion that with tools
for writing requirements in some kind of formal language that can be checked
for syntactic and semantic completeness and consistency, it's possible to
detect at least some errors at requirements stage that may not have been
caught till later.  So SE projects using these and similar methods for other
stages in the life cycle would tend to show more errors earlier.  Would the
products from these projects be therefore less reliable than others made
with, say, more traditional, less careful, design and programming practice ?

Dave makes the further argument in RISKS 3.57:

  >Certain models of software failure place increased "reliability" on
  >software which has been exercised for long periods without fault. [...]

The models of software reliability exist to order our thinking about
reliability and to help predict behavior of software systems based on
observation of failure up to the current time.  The models that show
failures clustered early in time and then tapering off later do indeed model
an intuition but maybe not the one that more faults mean yet more faults.
Hence the need for data.  I suspect that the reality as shown by data, if it
exists, would be more complex than intuition allows.  More errors discovered
so far may just mean better software engineering methods.  As far as other
engineering fields, the failure vs time curve in manufactured products is
often taken to be tub-shaped, not exponentially decaying.  So more failures
are expected at the beginning and near the end of the useful life of a
"hard" engineered product.  Of course, "an unending sequence of irremediable
faults" should be the kiss of death for any product, whether from hard
engineering or soft.  But the trick is in knowing that the sequence is
unending.  The B-17, I seem to remember reading, had a rather rocky
development road in the 1930s, yet was not abandoned.  Was it just that the
aeronautical engineers at Boeing then had in mind some limit on the number
of faults and that this limit was not exceeded?  It might be easy to say in
hindsight.  On the other hand, sometimes foresight, in terms of spotting a
poor design at the outset, makes a difference, as in the only Chernobyl-type
power reactor outside the Soviet block.  It was bought by Finland (perhaps
this is what "Finlandization" means ?).  However the Finns also bought a
containment building from Westinghouse.

Ken Dymond

Re: Protection of personal information

David Chase <>
Tue, 23 Sep 86 08:56:18 EDT
                       [The two participants requested this clarification 
                        be included for the record...  PGN]

You misinterpreted my message in a small way; I was writing about a
university attended by a friend, NOT Rice university.  To my knowledge, Rice
has been very good about protecting its students' privacy.  My student
number is NOT my social security number, though the university has that
number for good reasons.  I do not want anyone to think that I was talking
about Rice.       David

Towards an effective definition of "autonomous" weapons

Tue, 23 Sep 1986 18:00 EDT

    From: Clifford Johnson <GA.CJJ at Forsythe.Stanford.Edu>

    An "autonomous weapon" [should be] defined to be any weapons system
    which is de facto preprogrammed to take decisions which, under the law 
    of nations, require the exercise of political or military discretion.

It's not a bad first attempt, and I think it is necessary to get a
handle on this.  With the realization that you have done us a service
in proposing your definition, let me comment on it.

I don't understand what it means for a weapon to "take a decision".  Clearly
you don't intend to include a depth charge set to explode at a certain
depth, and yet a depth charge could "decide" to explode at 100 feet given
certain input.

What I think you object to is the "preprogrammed" nature of a weapon,
in which a chip is giving arming, targeting and firing orders rather
than a human being.  What should be the role of the human being in
war?  I would think the most basic function is to decide what targets
should be attacked.  Thus, one modification to your definition is

    An "autonomous weapon" [should be] defined to be any weapons 
    system which is preprogrammed to SELECT targets.

This would include things like roving robot anti-tank jeeps, and
exclude the operation of LOW for the strategic forces.

But this definition would also exclude "fire-and-forget" weapons, and
I'm not sure I want to do that.  I want human DESIGNATION of a target
but I don't want the human being to remain exposed to enemy fire after
he has done so.  Thus, a second modification is 

    An "autonomous weapon" [should be] defined to be any weapons 
    system which is preprogrammed to SELECT targets in the absence of
    direct and immediate human intervention.

But then I note what a recent contributor said — MINES are autonomous
weapons, and I don't want to get rid of mines either, since I regard
mines as a defensive weapon par excellence.  Do I add mobility to the
definition?  I don't know.

Towards an effective defintion of "autonomous" weapons

Clifford Johnson <GA.CJJ at Forsythe.Stanford.Edu>
Monday, 22 September 1986 21:43-EDT
There's great difficulty in defining "autonomous weapons" so as to separate
some element that seems intuitively "horrible" about robot-decided death.
But a workable definition is necessary if, as CPSR tentatively proposes,
such weapons are to be declared illegal under international law, as have
chemical and nuclear weapons.  (Yes, the U.N. has declared even the
possession of nukes illegal, but it's not a binding provision.)

The problem is, of course, that many presently "acceptable" weapons already
indiscrminately-discriminate targets, e.g.  target-seeking munitions and
even passive mines.  Weapons kill, and civilians get killed too, that's war.
Is there an element exclusive to computerized weapons that is meaningful?

I don't have an answer, but feel the answer must be yes.  I proffer two
difficult lines of reasoning, derived from the philosophy of automatic
decisionmaking rather than extant weapon systems.  First, weapon control
systems that may automatically target-select among options based upon a
utility function (point score) that weighs killing people against destroying
hardware would seem especially unconscionable.  Second, but this presumes a
meaningful definition of "escalation," any weapons system that has the
capability to automatically escalate a conflict - and is conditionally
programmed to do so - would also seem unconscionable.

Into the first bracket would conceivably fall battle management software and
war games, into the second would fall war tools that in operation (de facto)
would take decisions which according to military regulations would otherwise
have required the exercise of discretion by a military commander or
politician.  The latter category would embrace booby-trap devices activated
in peacetime, such as mines and LOWCs; and here there is the precedent of
law which prohibits booby traps which threaten innocents in peacetime.
Perhaps the following "definition" could stand alone as *the* definition of
autonomous weapons to be banned:

An "autonomous weapon" is defined to be any weapons system which is
de facto preprogrammed to take decisions which, under the law of
nations, require the exercise of political or military discretion.

This might seem to beg the question, but it could be effective - military
manuals and international custom is often explicit on each commanders'
degree of authority/responsibility, and resolving whether a particular
weapon was autonomous would then be a CASE-BY-CASE DETERMINATION.  Note that
this could, and would, vary with the sphere of application of the weapons
system.  This is reasonable, just as there are circumstances in which
blockades or mining is "legal" and "illegal."

Of course, a case-in-point would be needed to launch the definition.
Obviously, I would propose that LOWCs were illegal.  How about battle
management software which decides to engage seemingly threatening entities
regardless of flag, in air or by sea?  Any other suggestions?  Does anyone
have any better ideas for a definition?

Towards an effective definition of "autonomous" weapons

Tue, 23 Sep 1986 18:09 EDT
In thinking about this question, I believe that ARMS-D and RISKS could
perform a real service to the defense community.  There is obviously a
concern among some ARMS-D and RISKS readers that autonomous weapons
are dangerous generically, and maybe they should be subject to some
legal restrictions.  Others are perhaps less opposed to the idea.

It is my own feeling that autonomous weapons could pose the same danger to
humanity that chemical or biological warfare pose, though they may be
militarily effective under certain circumstances.

I propose that the readership take up the questions posed by Cliff's recent

    What is a good definition of an autonomous weapon?  

    What restrictions should be placed on autonomous weapons, and why?

    How might such limits be verified?

    Under what circumstances would autonomous weapons be militarily

    Should we be pursuing such weapons at all?

    How close to production and deployment of such weapons are we?

Maybe a paper could be generated for publication?

Please report problems with the web pages to the maintainer