"Star Wars" Revisited - ETHICSAND SAFETY-CRITICAL SOFTWARE Safety-critical software is a core topic
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
FEATURE
Kevin W. Bowyer
“Star Wars” Revisited
ETHICS AND SAFETY-CRITICAL SOFTWARE
afety-critical software is a core topic
S
in courses on “ethics and computing”
and “computers and society.” It is
also a core topic in software engi-
neering courses. In the 1980s, the
U.S. Reagan-era Strategic Defense
Initiative was the focus of a great deal of
technical argument relating to design and
testing of safety-critical software. Today,
most students in the U.S. have no famil-
iarity with the substance of these argu-
ments. However, with U.S. presidents
Clinton and Bush considering various
versions of a national missile defense sys-
tem, the topic has again become relevant
and applicable to current events.
Fig. 1. U.S. President Ronald Reagan’s 1983 speech is the source
of high-level requirements for the “Star Wars” system.
Work on this module began CPSR-sponsored M.I.T. debate are Technology and Society conference
under support of National Science used with permission of the nation- [20].
Foundation Undergraduate Facul- al office of the Computing Profes- The author is Schubmehl-Prein
ty Enhancement grant DUE- sionals for Social Responsibility. Department Chair in the Depart-
9752792 [16]. The video of Rea- Portions of this paper were pre- ment of Computer Science and
gan’s SDI speech was obtained sented at the 2001 Frontiers in Engineering, University of Notre
with the help of the Reagan presi- Education conference and the Dame, Notre Dame, IN 46556.
dential library. Video clips from the 2001 International Symposium on Email: kwb@cse.nd.edu.
IEEE Technology and Society Magazine, Spring 2002 0278-0079/02/$10.00©2002IEEE 13
M.I.T. debate and in students to appreciate reliability-
various publications. related concepts such as statistical
The topic of a national missile Chuck Seitz, a member
of the SDI computing
panel who did not
independence of failures, but is
certainly not necessary in order to
understand the essence of the larg-
defense system has again
resign, argued at the er argument.
debate in favor of the This course module can be
feasibility of SDI soft- viewed as divided into five sections:
1) introduction to the
become relevant. basic SDI problem,
2) evaluation of Parnas’
argument that trustworthy
SDI software is not possible,
3) evaluation of Seitz’
This article describes a argument that trustworthy
curriculum module devel- SDI software is possible,
oped around a Reagan-era 4) connection to current
SDI debate on the theme – ballistic missile defense
“Star wars: can the comput- efforts, and
ing requirements be met?” 5) consideration of ethical
This module may be appro- issues for computing profes-
priate for use in ethics-relat- sionals working on such pro-
ed or software-engineering- Fig. 2. Michael Dertouzos gives an SDI System jects.
related courses taught in Overview at the M.I.T.-CPSR Debate. The first section of the
undergraduate Information module should give students
Systems, Information Technology, ware. Michael Dertouzos served as a basic understanding of the
Computer Science, or Computer debate moderator. Joseph Weizen- requirements of an SDI system,
Engineering programs. It should baum, who was not a member of and make it clear that this is an
also be appropriate for use in the SDI panel, argued the con posi- extreme instance of safety-critical
courses in general engineering tion along with Parnas. Danny software. The second and third
ethics or technology and society. Cohen, who served as chair of the sections present the arguments
SDI panel, argued the pro position against and for the feasibility of
THE REAGAN-ERA “STAR with Seitz. creating trustworthy software for
WARS” DEFENSE PROGRAM The presentations at this debate, an SDI system. These sections
The Reagan-era “Star Wars” in particular those of Parnas and contain the major technical sub-
ballistic missile defense program Seitz, provide the core for develop- stance of the module from a com-
generated a great deal of contro- ing a curriculum module that deals puting perspective. The purpose of
versy. One aspect of this contro- with ethical issues involved in the the section on connecting the Rea-
versy involved the design and test- creation of safety-critical software. gan-era arguments to current mis-
ing of safety-critical software. In The module should be appropriate sile defense efforts is to assess the
1985, the Computing Profession- for use in courses on software modern relevance of conclusions
als for Social Responsibility engineering, ethical issues, social in the original argument. The pur-
(CPSR) sponsored a debate, held impact of computing, or technolo- pose of the last section of the
at M.I.T., on the question – Star gy and society. It has been suc- course is to explicitly consider
Wars: Can the Computing cessfully used both in courses important ethical issues involved
Requirements Be Met? Controver- aimed at first-year students who in this case study.
sy on this particular point was are not yet (and may not become) The content of each section of
sparked by, among other things, computing majors, and in a senior- the module is outlined in more
David Parnas’ resignation from the level “capstone” course for Com- detail below.
Strategic Defense Initiative (SDI) puter Science and Engineering
computing panel. Parnas argued majors. Some level of program- UNDERSTANDING THE
that it was impossible, in principle, ming experience will of course CONTEXT OF THE SDI
to create SDI software that would help students to appreciate the PROBLEM
allow a useful level of trust in the complexities of software testing The section of the module on
system. He presented his argument and debugging. Some level of dis- understanding the SDI problem
for this conclusion at the CPSR- crete math background should help incorporates a short video clip
14 IEEE Technology and Society Magazine, Spring 2002
from President Ronald Reagan’s and the automated interpretation of sion, to identify the premises used
“Star Wars speech” (see Fig. 1) sensory data that may vary with to argue for this conclusion. Stu-
delivered in March of 1983 [1], the state of nature and the inten- dents should also develop a clear
and a clip from the 1985 CPSR- tions of an intelligent adversary. idea of Parnas’ reasons why the
M.I.T. debate (see Fig. 2) in which SDI computing problem is more
moderator Michael Dertouzos Then-current thinking about the difficult than other complex com-
gives an overview of the SDI sce- SDI scenario and technology is puter systems. For example,
nario and requirements. Dertouzos well represented in the “Eastport launch of a space shuttle can be
outlines parameters of the SDI sce- Report” and an U.S. Office of delayed if computer and weather
nario, such as the size of the geo- Technology Assessment report conditions are not satisfactory,
graphic area to be monitored for an [22],[23]. Electronic copies
attack launch, the projected time of these government docu-
span of an attack, and the number ments are available on CD
of missiles, warheads and decoys with the video clips and
that might be involved. PowerPoint for this curricu-
The goal of this section of the lum module. The Reagan-era “Star Wars”
course is for students to work
through a general understanding of UNDERSTANDING
the issues in the systems analysis PARNAS’ ARGUMENT
and requirements specification The purpose of this mod-
ballistic missile defense
program generated a great
stages of SDI software develop- ule of the course module is
ment. The PowerPoint material for the students to work
makes references to the waterfall through a summary of Par-
model of software develoment, not nas’ technical argument for
to endorse this model over other why it is not possible to cre-
models, but to focus students’ ate trustworthy SDI soft- deal of controversy.
thinking on the problems inherent ware. This section of the
in specifying requirements for module incorporates a
such software. video clip of Parnas’ pre-
It is important that students sentation (Fig. 3) and addi-
develop an apprecia- control of a nuclear power
tion for the extreme plant does not require defeat-
difficulty of the SDI ing the intentions of an intel-
computing problem. ligent adversary, and other
For instance, at one sophisticated weapons sys-
point Dertouzos men- tems are used many times and
tions that planners so can be debugged after ini-
envision that the SDI tial failures.
system will maintain Students may need some
“a consistent distrib- guidance in formalizing the
uted database” of the structure of Parnas’ argument.
missile tracking infor- His presentation does contain
mation. There is some a clear technical argument in
audible laughter from reponse to the topic defined
the audience at this for the debate – Star Wars:
point, because the Fig. 3. Parnas presents an argument that trustworthy can the computing require-
demands of “consis- SDI software is not possible in principle. ments be met? However, he
tent” and “distributed” also goes beyond this at times
are inherently contradictory at tional PowerPoint slides. Any of and suggests conclusions of larger
some level. This point may not be several papers by Parnas might be socio-political questions. Students
readily apparent to students as they used as references or handouts may be tempted to assert that he
watch the video. Therefore it may with this section (e.g., [2].) The argues for conclusions such as
be useful to explicitly point out the PowerPoint material includes “The United States should not pur-
difficulty involved in the real-time slides that ask students to identify sue SDI” or “Pursuing SDI will
nature of the problem, the distrib- the conclusion advanced by Par- make the United States weaker
uted communications and control, nas, and then, given the conclu- rather than stronger.” In fact he
IEEE Technology and Society Magazine, Spring 2002 15does, but students should be able to should bring students to a state- ignition key. This may provide an
realize that these are not conclu- ment similar to – “It is not possible opportunity for useful class discus-
sions of the immediate computer to construct SDI software that sion about what constitutes an
systems engineering argument. could confidently be expected to appropriate level of confidence
Students should be encouraged to work correctly when needed.” and whether or how such confi-
focus primarly on the dence might be measured. Other
argument that relates to analogies can be offered similar to
the technical issue of that of the car starting: for
whether it is possible, in instance, the confidence you have
principle, to create SDI that your computer system will
software that could be correctly retrieve a file from disk
considered trustworthy. when it is requested. Most exam-
It is possible that some ples that students propose in class
students will have pas- will likely not incorporate the
sionately-held opinions complication of an intelligent ene-
about peace, strong my. This point might be made by
defense, or President suggesting a sports-related analo-
Reagan’s legacy. Again, gy. For example, what is your lev-
these are probably not el of confidence that the opposing
appropriate as the team will not be able to score giv-
immediate focus of class Fig. 4. Seitz presents an argument for the fea- en that your team correctly exe-
discussion. sibility of creating an SDI System. cutes the defense it has planned
Students find it easi- ahead of time? The point that Par-
er to reach an appropriate summa- The “confidently” qualifier is a nas makes is that our confidence
ry of Parnas’ argument if they are potential source of ambiguity. that the software will work correct-
first guided to a statement of the However, Parnas suggests that a ly when needed is directly linked
conclusion. Discussion of different pragmatic definition is the level of to our assumptions about how an
possible conclusion statements and confidence that you have that your intelligent adversary will choose to
how they relate to the debate topic car will start when you turn the structure an attack.
Fig. 5. Depiction of missile defense scenario from http://www.acq. osd/mil/bmdo/.
16 IEEE Technology and Society Magazine, Spring 2002TABLE I
CATEGORIZATION OF COMPLEX SYSTEMS ACCORDING TO APPLICATION CONSTRAINTS
Property of the application that complicates design and testing
Computer real-time "signal-to- uncontrolled intelligent starting requires
System response symbol" sensor adversary conditions coordinated
Application requirements sensor data imaging motivated to controlled by distributed
processing conditions fool system adversary computing
Chess-playing No No No Yes No No
Telephone switching Yes No No No No Partially
Space shuttle Yes Yes Yes No No No
Nuclear power plant Yes Yes Partially No No No
Fighter jet Yes Yes Yes Yes Partially No
SDI Yes Yes Yes Yes Yes Yes
Once students have the conclu- any confidence, because they sonably efficient and correct com-
sion of the argument, they should depend on the actions of an intelli- pilers, c) “people with Dutch
be able to identify relevant premis- gent adversary, and accents,” indicating Edsgar Dijk-
es that Parnas uses to argue for the (2) The software cannot under- stra, in the context of suggestions
conclusion. Important elements of go any fully realistic testing, that the problem with software is
the technical arugment have to do because this would require realis- that the software engineers are not
with the specifications being tic sensor data reflecting the talented enough, d) “Byzantine
unkown, there being no practical (unkown) scenario for enemy agreement,” a formalism of the
way to realistically test the soft- attack, and problem in which N distributed
ware, and there being no time to (3) There would be no time dur- systems communicate to reach
debug the software in use. While ing an attack to repair and re- agreement among the correctly-
factors such as the number of pro- install failing software (“no real- working systems even when some
grammers required to work on the time debugging”),
software and the estimated size of Therefore: It is not pos-
the system may also be relevant, sible to construct SDI soft-
Parnas explicitly asserts that his
argument is independent of the
ware that could be confi-
dently expected to work
Parnas argued that it was
size of the software. correctly the first time it is
As a result of analyzing the
material in this section, students
should be able to reach a summary
needed.
Parnas mentions a
number of items during
impossible, in principle, to
of Parnas’ technical argument sim-
ilar to the following. It would also
be within the spirit of Parnas’ pre-
his presentation that
should be defined for the
class in order for them to
create SDI software that would
sentation to give a one-premise get the most out of his pre-
form of the argument. The state-
ment – “Since the specifications
sentation. Among these
are a) the acronym MAD,
allow a useful level of trust
are inherently unkown, therefore it standing for Mutual
is not possible to know whether
you have written the desired sys-
tem.” – would reasonably capture
Assured Destruction, the
cold-war strategy that says
nuclear war is best
in the system.
the essence of the argument. deterred by having each
side believe that it would
Candidate Summary of Parnas’ result in mutual destruction, b) fraction of the N systems may send
Argument – ADA, the programming language, false messages, e) “Safeguard,”
Since: in the context of it being an ambi- referring to an early ballistic mis-
(1) The specifications for the tious software project that took a sile defense system intended to
software cannot be known with number of years to result in rea- defend only selected sites neces-
IEEE Technology and Society Magazine, Spring 2002 17sary for the U.S. to launch a retal- classify other complex systems tion of entities in the data. The raw
iatory strike, f) “Vietnam,” in the according to these contstraints in data might be a 2-D array of non-
context of the weapons systems order to find a good analogy. The negative integers that form an
used in that war, g) “someone result might be something like that image representing some property
named Walker,” meaning a person in Table I. such as heat, refelected light, or
with Defense Department security distance from the sensor. The sym-
clearance who is discovered to be UNDERSTANDING SEITZ’ bolic description might be some-
a long-time spy for the enemy, and ARGUMENT thing like “missile centered at
h) a reference to Fred Brooks, in Similar to the section on Par- location x,y”.
the context of a person of distin- nas’ argument, the point of this The conclusion of Seitz’ argu-
guished reputation in software section is for the students to work ment should be a statement to the
engineering [21]. out a critical-thinking summary of effect that it is possible to con-
Parnas also makes an argument Seitz’ argument. Also similar to struct reliable SDI software. The
the previous section, the premises of the argument will have
material for this section to do with hierarchical control
includes video of Seitz’ pre- structures being well understood,
Students who have a strong a sentation (see Fig. 4), plus
supporting PowerPoint
slides. The premises should
conceptual control structure that
coincides with physical control
structure being an advantage for
priori belief in the positive
represent technical bases reliable implementation, and mod-
that Seitz uses to argue for ularity being an advantage in
his conclusion. Seitz quotes implementation and testing. It
from the SDIO computing should be possible for students to
value of ballistic missile panel (from which Parnas
resigned and Seitz and
arrive at a summary of Seitz’ argu-
ment similar to the following:
Cohen did not) as part of his
defense may feel that their presentation.
One quote is: “The feasi-
bility of the battle manage-
Candidate Summary of Seitz’
Argument –
Since:
political beliefs are being
ment software and our abil- (1) Hierarchical control struc-
ity to test, simulate, and ture is natural and well under-
modify the system are very stood, and
sensitive to the choice of (2) Hierarchical organization
challenged. system architecture. In par-
ticular, the feasibility of the
seems attractive both for the con-
ceptual flow of data abstraction,
battle management software and the physical organization of
is much more sensitive to the system, and
the system architecture than (3) Hierarchical organization
that the SDI computing require- it is to the choice of software engi- naturally leads to modularity,
ments are, in effect, unique and neering techniques.” From this it which is an advantage for achiev-
more difficult than those for any seems clear that Seitz is arguing ing reliable implementation,
other complex system that might that the problems can be solved Therefore: It is possible to con-
be selected for an analogy. At one through an appropriate choice of struct SDI software that could be
point in the debate, Cohen men- system architecture. confidently expected to work cor-
tions the space shuttle as an exam- As with Parnas’ presentation, rectly the first time it is needed.
ple of a system requiring large and students may need some guidance
complex software. Parnas’ to arrive at an appropriate summa- With the arguments of the two
response is that whereas NASA ry of Seitz’ argument. Seitz uses sides of the debate identified, stu-
can delay a launch up until the last relatively few terms in his presen- dents should begin to have the
second, the president cannot call tation that will require definition basis for developing their own
up the (former) United Soviet for the class. One concept that stu- informed opinion on the issue.
Socialist Republic (USSR) to dents may not be familiar with is Students can also be asked to
delay a nuclear war. An interesting the “signal to symbol” transition in assess stylistic issues in the pre-
class exercise would be to make a processing sensor data. This refers sentations, and how these factors
list of constraints on the SDI com- to the process of moving from raw might influence the effect on a
puting system and ask students to sensor data to a symbolic descrip- non-computing-literate audience.
18 IEEE Technology and Society Magazine, Spring 2002For example, how does the use of entists. This point can, and proba- to achieve other perceived bene-
personal comment and sarcasm bly should, be emphasized through fits. This clearly illustrates how
affect the communication of tech- a pre-class assignment described there may be a distinction between
nical content? How does/would an later. the technical question and related
explicit premise-conclusion sum- It also should be pointed out political questions.
mary of the argument aid the audi- that both Parnas and Seitz came to
ence’s understanding? And how the debate already familiar with RELATION TO CURRENT
does not responding explicitly to the essence of the other person’s MISSILE DEFENSE
an opponent’s asserted premises argument. Parnas was presenting SCENARIOS
affect credibility? arguments that he had already pub- The point of this section of the
At the end of analyzing the two lished and that Seitz certainly course is to relate the evaluation of
presentations, it will be clear to would have known about. Similar- Parnas’ and Seitz’ arguments to
most students that Parnas’ techni- ly, Seitz was presenting arguments current ballistic missile defense
cal argument is essentially correct based on the published report of plans. A recent special issue of
and is not refuted by Seitz’ argu- the SDI computing committee. It is IEEE Spectrum assesses the state
ment. One over-simplified charac- not reasonable to think that either of various U.S. missile defense
terization of the debate is that Par- person was caught unaware by the programs [4]. Overall, the web site
nas says “We can’t test it” and other person’s argument. of the DoD Ballistic Missile
Seitz then replies “We can build A point that might merit explo- Defense Office (BMDO) is an
it.” In this sense, the two presenta- ration in courses on technology excellent source of information
tions do not respond equally well and society is that the narrow ques- [6]. The is perhaps especially true
to the theme of the debate, “Star tion of whether or not it is possible because the envisioned scenarios
Wars: can the computing require- to create trustworthy SDI software for a missile defense system are
ments be met?” Seitz argues that does not necessarily answer the evolving over time. Information
we can build something that general question of whether or not from this site should be useful to
should be useful, but does not real- it is worthwhile to attempt to con- summarize the current official sce-
ly address the issue of how to test struct an SDI system. Students narios, plans, and status. An exam-
that it would meet requirements. may find this point a bit paradoxi- ple figure from this web site
Parnas argues that it doesn’t make cal. However, one defense some- appears in Fig. 5.
any difference what is built or how times raised by supporters of the The U.S. continues to spend
it is built, because there won’t be Reagan legacy is that the Soviet large amounts of money on missile
any means of testing that it meets attempt to respond to the SDI pro- defense. An editorial in Science
requirements. gram was an important contribut- magazine in 2001 estimated cumu-
For many people, the in-princi- ing factor in the breakdown of the lative U.S. expenditures on missile
ple nature of the point about the Soviet Union [26]. That is, even if defense at $100 billion, in current
specifications for the software SDI did not or could not work, it dollars [7].
being unknown is enough to carry aided a larger objective of “defeat- Missile defense is of course a
the argument by itself. The rather ing” the Soviet Union. Similar socially and politically controver-
clear-cut nature of this narrow sorts of arguments were made in sial topic. Numerous articles on
technical argument is a potential 2001 by President George Bush’s missile defense are also available
pitfall for use of this material. Stu- Secretary of Defense Donald in the popular press (e.g., [9] “con”
dents who have a strong a priori Rumsfeld. He expressed “that the and [12] “pro”), and numerous
belief in the positive value of bal- United States is likely to deploy interest groups have web pages
listic missile defense may feel that certain antiballistic missile sys- with archives of press releases and
their political beliefs are being tems before testing on them is news reports on the topic.
challenged, or that the material has completed” [24] and argued that Reviewing the recent history of
somehow been unfairly presented. “even if a missile defense system U.S. ballistic missile defense
There are several points to consid- does not work properly, it would efforts can give valuable perspec-
er in this regard. One point is that make an adversary think twice tive on the feasibility of the goals
the purpose of the study is, in so before launching a missile at the of the Reagan-era program [3] –
far as possible, to discover the United States” [25]. Thus the Bush “In the last 15 years, the United
truth, and this may result in a chal- administration appears willing to States has conducted 20 hit-to-kill
lenge to a priori beliefs. A second stipulate that the system may not intercepts, for the BMD programs
point is that the two presenters, work properly or well, but is will- discussed here as well as in other
Parnas and Seitz, are both accom- ing to undertake the expense of tests. Six intercepts were success-
plished, word-class computer sci- building a system anyway in order ful; 13 of those intercepts were
IEEE Technology and Society Magazine, Spring 2002 19done within the last five years, and location/size of the hypothesized Whether or not this is truly a real-
among them, three intercepts suc- enemy. The Reagan-era SDI pro- istic option will of course depend
ceeded. ... no real attempts have gram envisioned an attack of tens on the particular assumptions
been made to intercept uncoopera- of thousands of missiles coming made about the size and sophisti-
tive targets — those that make use from the area of the former USSR. cation of the threat.
of clutter, decoys, maneuver, anti- Current thinking envisions an Given that the majority of the
simulation, and other counter mea- “attack by a rogue state using a class accepts the in-principle argu-
sures. Nor have any tests attempted handful of warheads outfitted with ment made by Parnas, but then also
to use a real battle management relatively simple countermea- believes that a missile defense sys-
system that integrates data from a sures” or “an accidental launch of tem for current scenarios is feasi-
diverse array of actual tracking a few warheads by Russia or Chi- ble, it makes sense to explore the
sensors and directs an interceptor na” [3]. This clearly reduces, to differences between the scenarios.
to a target.” An interesting assign- some degree, the required com- Students might be asked to rate the
ment for students may be to gather plexity of the ballistic missile feasibility of constructing a missile
information on the most recent defense system. How this affects defense system in various in-
tests and to assess the level of real- the conclusions of the Parnas-Seitz between scenarios. For example,
ism in the tests (clutter, decoys, ...). debate is not entirely clear, and what if the “rogue country” in cur-
Students with any previous provides an opportunity to pursue rent scenarios could launch hun-
software engineering course work an interesting line of reasoning. dreds, thousands, or tens of thou-
should easily realize that the test- When asked, most people will feel sands of missiles? Or, what if the
ing done to date does not begin to that a successful SDI system for enemy was able to launch the
address the more difficult technical the currently envisioned scenarios attack from unknown points over a
issues indentified in the Reagan- is perhaps possible, or at least is larger geographic area? The point
era debate. Tests that use data from not as clearly impossible as for the of the exercise would be to isolate
actual tracking sensors and that try Reagan-era scenario. the factors of the scenario that
to hit targets that employ simple This feeling presents something appear to most affect feasibility of
counter-measures would be only of a conflict, because Parnas the system.
the beginning of “realistic” testing. explicitly made an “in principle” A current whistle-blowing case
Increased realism would include, argument. When students accept alleges fraud in the testing and
for example, multiple targets that Parnas’ argument for the Reagan- development of software in recent
create various loads and structures era scenario, but feel that it might missile defense efforts [19]. The
of attack, varied weather condi- be possible to construct a reliable whistle-blower, Nira Schwartz,
tions, and simulation of random system for current scenarios, there alleges that TRW knew that the per-
and coordinated failures in the sys- is a need to resolve the apparent formance of its software to discrim-
tem due to attack. A useful exer- inconsistency. The resolution inate warheads from decoys was far
cise for students may be to ask appears to lie in the perceived fea- below what was reported to the gov-
them to sketch a plan for several sibility of “over-engineering” the ernment. The allegations have been
levels of increasingly realistic test- system. By “over-engineering” we investigated at several levels. One
ing of SDI software. Real incidents mean designing a system explicitly Pentagon criminal investigator said
from actual tests of missile defense to have substantial over-capacity that there is “absolute irrefutable
technology can be used to empha- relative to the size of the threat, scientific proof that TRW’s discrim-
size the difficulty involved. For akin to the old engineering idea of ination technology does not, cannot,
example, in a 1997 test “the clouds a “margin of safety” in the design. and will not work” and that TRW
had cleared but a software problem With the Reagan-era scenario of was “knowingly covering up its fail-
caused the laser to recycle, or tens of thousands of warheads and ure” [19]. A team put together to
unexpectedly lose power, during hundreds of thousands of sophisti- look at the allegations and the report
the brief period in which the satel- cated decoys, most people could said that the TRW computer pro-
lite was within range” [10]. not imagine over-engineering the grams “were ‘well designed and
It is important for students to system to a degree that would pro- work properly’ provided that the
realize that the motivating scenario vide confidence. With current Pentagon does not have wrong
for current missile defense efforts more limited scenarios, it seems information about what kinds of
is not the same as for the Reagan- easier for people to imagine that warheads and decoys an enemy is
era program. Potentially important the system might be built with using” [19]. In other words, if one
differences include 1) the antici- enough excess capacity to provide assumes specifications for the war-
pated size and sophistication of an confidence that it would work in heads and targets that an enemy will
attack, and 2) the geographical the presence of some failures. use, and if this information turns out
20 IEEE Technology and Society Magazine, Spring 2002to be correct, then the software for whether a program will run to get me to sign a letter),
should work. This rather clearly into an infinite loop, Therefore: their letter does not
shows that one critical weakness is Therefore: we should build a tool mean anything.
unknown specifications – the same that will check whether a program
weakness that Parnas emphasized will run into an infinite loop. There is one particularly telling
over fifteen years earlier! point here. It seems that the con-
The coverage of this whistle- The goal here sounds great, but gressman’s argument uses a
blowing incident also provides there is computer science theory premise that the Nobel laureates’
excellent opportunities for critical- that says it is impossible. Some letter should not be taken seriously
thinking exercises. Congressman software engineers might regard because, by analogy, he signs let-
Curt Weldon of Pennsylvania pro- the idea of constructing software ters all the time that he does not
vides several quotes arguing for to meet unknown specifications as mean to be taken seriously. In any
the construction of a missile similarly impossible. The pragmat- case, again, the response does not
defense system. One of these is as ic response is that some specifica- address any of the issues of sub-
follows: “If we don’t build a new tions will be assumed that will stance. The analysis of these
aircraft carrier, we have older ones. hopefully cover the real-world cas- quotes may be more relevant to
If we don’t build a new fighter es that arise. classes in technology and society
plane, we have older ones. If we Congressman Weldon also than to classes in software engi-
don’t build a new tank, we have makes an analogy between critics of neering, and should serve to
older ones. If we don’t build mis- the President Kennedy’s program to emphasize to students that the
sile defense, we have nothing” land a person on the moon and cur- political decision-making about
[19]. In premise-conclusion form, rent-day critics of missile defense missile defense is taking place in a
his argument appears to be: [19]. The intent of the argument is notable absence of any serious
apparently to have people conclude technical discussion.
Since: that the SDI program would suc- After covering the material in
We have existing but older forms of ceed in the way that the program to this section of the module, students
many weapons systems, and land a man on the moon succeeded. should understand how the current
We have no existing form of a mis- The big missing element in this national missile defense scenarios
sile defense system, analogy should be clear. The moon- relate to the technical arguments
Therefore: we should build a mis- landing program had to deal with developed during the Reagan-era
sile defense system. problems presented by nature, SDI debate. They should also
whereas the missile defense pro- appreciate the fact the much of the
As is often the case, the argu- gram has to deal with problems pre- current political discussion about
ment loses some of its appeal sim- sented by an intelligent enemy that national missile defense is serious-
ply by being cast into explicit is motivated to defeat the system. ly lacking in consideration of tech-
premise-conclusion form. The Again, this point relates back to the nical feasibility.
argument does not address cost issue of unknown specifications.
tradeoff issues such as whether it Another quote from Congress- RELATION TO CODES OF
would be better to have a missile man Weldon came in response to a ETHICS
defense system or newer versions letter signed by Nobel Laureates Discussion of this case study
of other weapons systems (or other arguing against development of should include consideration of
security-enhancing measures). missile defense. Weldon’s comment ethical issues that confront com-
More fundamentally, it also does was: “Well, I don’t know any of puting professionals working on
not address the issue of whether it them that’s come to Congress or to such projects, with explicit refer-
is even possible to construct a reli- me. I’ve not seen one of their faces. ence to the different professional
able missile defense system. For I mean, you know, it’s easy to get codes of ethics. Students should be
students that would understand the anyone to sign a letter. I sign letters asked to evaluate the ethical issues
halting problem, the following all the time” [19]. In premise-con- relative to the professional codes of
might be offered for discussion as clusion form, the argument appears ethics, and project what they might
a possibly analogous argument: to be: do in various situations. Among the
many questions that students might
Since: Since: be asked to address are:
We have existing but older forms of I have not talked to them face-to- 1) Was Parnas right in resigning
many software development tools, face, and his $1000/day consulting position
and They have only written a letter, and to “blow the whistle” on the SDI
We have no existing tool to check I sign letters all the time (it is easy program?
IEEE Technology and Society Magazine, Spring 2002 212) Is it ethical today to accept obligation to my fellow software engineers shall, as
work on national ballistic missile members and the profession appropriate:... [1.3] Approve
defense systems, or, more general- I shall: ... Cooperate with software only if they have a
ly, on systems that you believe can- others in achieving under- well-founded belief that it is
not possibly work as advertised? standing and in identifying safe, meets specifications,
3) Assume that you believe it is problems.” passes appropriate tests, and
ethical to work on national ballistic does not diminish quality of
missile defense systems, and that Relevant elements of the Asso- life, diminish privacy or
you are a manager at a company ciation for Computing Machinery harm the environment. The
doing such work – how should you (ACM) code of ethics include ultimate effect of the work
treat an employee who believes (numbers identify specific sections should be to the public good.
that it is ethically wrong to work on and items of the full code [15]): ... [1.4] Disclose to appropri-
such systems? ate persons or authorities
4) How should you, as a profes- “As an ACM computing pro- any actual or potential dan-
sional, respond to a non-comput- fessional I will... [2.5] Give ger to the user, the public, or
ing-literate person who asks you if comprehensive and thorough the environment, that they
a national ballistic missile defense evaluations of computer sys- reasonably believe to be
system is possible? tems and their impacts, associated with software or
including analysis of possible related documents.
The various codes of ethics for risks. … [2.7] Improve pub-
the computing professions offer lic understanding of comput- “Software engineers shall act
some fairly clear guidance on such ing and its consequences. in a manner that is in the best
questions. Relevant items of the interests of their client and
Association of Information Tech- “As an ACM member and an employer, consistent with
nology Professionals’ (AITP) stan- organizational leader, I the public interest. In partic-
dards of conduct [5], [15] that stu- will... [3.4] Ensure that users ular, software engineers
dents should consider include the and those who will be affect- shall, as appropriate: ... [2.6]
following: ed by a computing system Identify, document, collect
have their needs clearly evidence and report to the
“In recognition of my oblig- articulated during the client or the employer
ation to society I shall: ... assessment and design of promptly if, in their opinion,
Use my skill and knowledge requirements. Later the sys- a project is likely to fail, to
to inform the public in all tem must be validated to prove too expensive, to vio-
areas of my expertise. ... To meet requirements.” late intellectual property law,
the best of my ability, insure or otherwise to be problem-
that the products of my work Relevant elements of the atic.
are used in a socially respon- ACM/IEEE-Computer Society
sible way. ... Never misrep- (CS) Software Engineering Code of “Software engineers shall
resent or withhold informa- Ethics include the following (num- ensure that their products
tion that is germane to a bers identify specific sections and and related modifications
problem or situation of pub- items of the full code [15], [17]): meet the highest profession-
lic concern nor will I allow al standards possible. In par-
any such known information “Software engineers shall ticular, software engineers
to remain unchallenged. act consistently with the shall, as appropriate: ... [3.2]
In recognition of my public interest. In particular, Ensure proper and achiev-
TABLE II
TOPIC AND LENGTH OF VIDEO CLIPS USED IN THE PRESENTATION
President Reagan’s call for SDI program 0:42 Charles Seitz’ argument for feasibility 16:38
Michael Dertouzos’ overview of SDI 6:01 David Parnas’ rebuttal 5:35
David Parnas’ argument against feasibility 22:13 Charles Seitz’ rebuttal 2:31
22 IEEE Technology and Society Magazine, Spring 2002able goals and objectives for becomes complex. How does the students perform a web search to
any project on which they technically-oriented individual take write short biographical sketches on
work or propose. ... [3.7] into account that public policy con- Parnas, Seitz, and Dertouzos. At a
Strive to fully understand the siderations could outweigh techni- minimum, they should discover
specifications for software cal conclusions? Is it reasonable to such things as that Seitz invented
on which they work. ... [3.8] work on a project that is technical- the “Cosmic Cube” parallel com-
Ensure that specifications ly impossible but that is a political puting architecture that gave rise to
for software on which they priority for society? How can one commercial systems marketed by
work have been well docu- assure that the political decision Intel and Ncube, and that Parnas
mented, satisfy the users was made with full knowledge of was the leader of the Naval
requirements and have the the technical impossibility? Research Lab’s “Software Cost
appropriate approvals. ... Reduction” project (dealing with
[3.10] Ensure adequate test- USE OF THIS MODULE IN software technology in aircraft
ing, debugging, and review TEACHING weapons systems) prior to joining
of software and related doc- This curriculum module is the SDI computing panel. It is valu-
uments on which they work. packaged as a PowerPoint presen- able for students to see the accom-
tation that incorporates several plishments of such people, and con-
“Software engineering man- mpeg video clips, as outlined in the sider how the backgrounds of the
agers and leaders shall sub- table below. (See Table II.) The debate participants qualify them to
scribe to and promote an eth- complete original debate video ran offer expert opinions on the subject.
ical approach to the over two hours, and so only the Another possible pre-class exercise
management of software most relevant and useful portions is for students to go to the BMDO
development and mainte- have been digitized and extracted web site and prepare a one-page
nance. In particular, those for use in this module. The debate summary of the current national
managing or leading soft- presentations by Weizenbaum and missile defense scenario. Yet anoth-
ware engineers shall, as Cohen are not included. Since er possibility is to have the students
appropriate: ... [5.12] Not these were the second presentation use Nexis or do a web search to
punish anyone for express- for each side of the issue, they nat- locate information on the three to
ing ethical concerns about a urally do not cover as much new five most recent tests of missile
project.” material. The questions from the defense system components. If the
debate audience are also not whistle-blowing aspects of the inci-
“Software engineers shall be included, as the pace of this portion dent will be emphasized, then it
fair to and supportive of their of the original video is rather slow. will be helpful if they do some
colleagues. In particular, The complete module could background reading ahead of time
software engineers shall, as easily take three 50-minute class (e.g., [15, ch. 7] and a selected
appropriate: ... [7.5] Give a periods, or two 75-minute class worksheet from that chapter).
fair hearing to the opinions, periods. With extended discussion
concerns, or complaints of a time and/or in-class active learning One 50-minute class, plus
colleague.” exercises, covering the complete homework assignment.
module might take an additional It should be possible to success-
Students should be encouraged class period or two. On the other fully use a portion of the materials
to consider how they would hope to hand, with judicious selection of to provide an overview of essential
respond to the ethical issues material and use of class time, the issues in testing safety-critical
when/if they face them in their core issues might be covered in as software in one 50-minute class.
career, and to evaluate their antici- little as one 50-minute class peri- The class presentation would use
pated responses in the context of od. Suggestions for using the mod- about 20 PowerPoint slides, plus
the codes of ethics. Answers will ule in different formats are sum- the video clips of Reagan, Der-
not be easy for some questions. For marized below. touzos, and Parnas. The total time
example, the ACM/IEEE-CS Code of the three video clips is about 30
of Ethics requires software engi- Pre-class exercises. minutes. This leaves just enough
neers to “act consistently with the Students will get the most out of time to introduce the ballistic mis-
public interest.” However, if we the module if they complete a pre- sile defense problem, present the
recognize that the overall “public class assignment that gets them software life cycle as an organiz-
interest” incorporates both techni- thinking about the issues. Several ing framework, and orient the stu-
cal and political considerations, different possible pre-class assign- dents to analyze Parnas’ argument
then individual decision-making ments are useful. One is to have the as a homework assignment.
IEEE Technology and Society Magazine, Spring 2002 23The 50-minute period would be sion-making involved. of the argument, as made by Seitz,
organized into three segments. The The next segment of the class is not covered. However, Parnas
first segment would be about 10 would be about 30 minutes in advances an in-principle argument
minutes in length. It would begin length. The main portion of this is that should stand or fall on its own
with a series of a half dozen slides spent watching the video clip of merits. Also, Seitz does not direct-
that support giving a basic defini- Parnas’ presentation. This prepares ly address the premises advanced
tion of ballistic missile defense, the students for a homework by Parnas. Thus while additional
and reminding students of the assignment to diagram, in premise- time will certainly improve stu-
activities in the system analysis conclusion form, Parnas’ argu- dents’ understanding of the prob-
and requirements analysis phases ment. To get the students oriented lem, it should still be useful to cov-
of the traditional software life for this analysis, it is useful to er the essentials of Parnas’
cycle. It would then move to walk through identifying the con- argument in one 50-minute class.
watching the video clip of Presi- clusion of the argument with them.
dent Reagan’s call for the SDI pro- The homework assignment for the One 75-minute class, plus
gram. Based on the video clip, stu- students, then, is to identify the homework assignment.
dents are asked to formulate a premises used to support this tech- Several options are available for
high-level statement of SDI system nical conclusion. Students should covering this module in one 75-
requirements. Several students can be able to identify a sequence of minute class. One possibility is to
be called on for a suggested three to five technical premises, not present any additional material
requirements statement. The sup- and to give some indication of from the PowerPoint and video
porting powerpoint material notes their own belief in the truth of each clips, but to use the additional time
that a requirements statement premise. The PowerPoint material for an active-learning style exer-
might focus on either of two parts includes transcribed versions of cise that focuses on analyzing Par-
of Reagan’s speech. Parnas focus- some of the overheads in Parnas’ nas’ argument. After watching Par-
es on the part where Reagan says: presentation. If desired, these can nas’ presentation and guiding the
“I call upon the scientific commu- be printed and given to students as students to the conclusion of his
nity to give us the means of ren- a handout for use in the homework technical argument, allow a short
dering these nuclear weapons assignment. The homework time (three to five minutes) for stu-
impotent and obsolete.” Alterna- assignment can be handed in and dents to individually identify the
tively, Seitz focuses more on the graded according to how many and premises supporting this conclu-
part where Reagan says – “I am how well the main premises are sion. Then call on some students to
directing a long-term R&D pro- identified. At a minimum, students give one of their premises and
gram to begin to eliminate the should be expected to identify the build a list premises on the board.
threat posed by strategic nuclear premises that the specifications for Once a full premise-conclusion
missiles.” In either case, the gener- the software are necessarily summary of the argument is con-
al software requirements are to unknown, that there is no chance structed from student responses,
take in sensor data and direct for any realistic system-level test- ask for one person to argue for and
weapons systems to destroy an ing, and that there is no chance for another against the truth of each
incoming attack before it reaches debugging during operation. Addi- premise. If time permits, ask if
the United States. tional slides can be used in a future Parnas’ analogy for the level of
The next segment of the class class to review the analysis of the reliability expected of SDI soft-
would again be about 10 minutes premises after the assignment is ware (an expectation similar to that
in length. It would mention the completed. To connect this analy- of your car starting when you turn
M.I.T.-CPSR debate, identify the sis of Reagan-era SDI program the key) is appropriate, and if oth-
participants in the debate, and then with current national missile er analogies might be more appro-
watch the six-minute video clip of defense scenarios, students might priate. As a follow-up homework
Dertouzos’ overview of the SDI be asked the additional homework assignment, students can be asked
problem. Based on his presenta- question of how their overall to analyze how the truth of the
tion, students should get a greater analysis of the argument would premises and conclusion would
appreciation for the vastness of the change if the scenario involved no change for a scenario of an attack
geographic area to be monitored more than ten missiles and ten consisting of tens of missiles from
by sensors, the numbers of war- decoys launched from an area such a smaller country.
heads and decoys to be handled in as North Korea or Iraq. A different option for one 75-
an attack, and the time scale of an The primary weakness of cover- minute class would be to use the
attack. They should also get a bet- ing this subject in a single 50- material in the module to present a
ter idea of the data flow and deci- minute class is that the “other side” summary of Parnas’ argument after
24 IEEE Technology and Society Magazine, Spring 2002viewing his presentation, and then itary weapons systems. One ethics issues still be addressed, of
watch Seitz’ presentation and also advantage of this case is that it has course. At a bare minimum, stu-
use the prepared material to pre- been the subject of criminal and dents should be made aware of
sent a summary of his argument. civil court cases that have run to what the professional codes of
The class would then end at the conclusion, and so there is a good ethics say about requirements,
point where a natural homework deal of documentation surrounding specifications, testing, and valida-
assignment would be for students the case. A current case that is even tion of software. Software engi-
to write a short critique of the rela- more directly related to SDI is that neering students may be able to
tive merits of the two arguments. of Nira Schwartz versus TRW usefully devote more time to Par-
[14]. In this case, an engineer nas’ arguments about why SDI
Two or more classes. working on missile defense soft- presents a unique computing prob-
Full coverage of this module ware “has charged the company lem and why it would not be able
would normally take two, or possi- with faking tests and evaluations to be realistically tested. Also,
bly three, classes. This allows time of a key component for the pro- there is a quote by James Ionson
to also see the video clips of the posed $27 billion antimissile sys- from the Reagan-era SDI office to
rebuttal statements, and to analyze tem” [14] (see also [19]). The alle- the effect that SDI software does
the issues from different perspec- gations in this case can be seen to not have to be error-free, but only
tives. It also allows time for assess- come back to the central point in fault-tolerant, and that “if another
ment of the premises used in the Parnas’ argument, that of design- million lines of code has to be
arguments. An important addition- ing a system to meet unknown written to ensure fault tolerance,
al perspective is to explicitly iden- specifications. then so be it.” This quote should
tify the ethical issues involved, and For a general introduction to provide an interesting opportunity
to discuss the guidance that the whistle blowing, in particular the to discuss what is meant by error-
codes of ethics give. Students use of the “False Claims Act” in free and fault-tolerant.
should be able to easily identify connection with fraud on the federal
relevant items of the AITP Stan- government, a good additional Use in a science, technology, and
dards of Conduct, the ACM/IEEE- video resource is available from the public policy course.
CS Software Engineering Code of Taxpayers Against Fraud organiza- Students in this type of course
Ethics, and the ACM Code of tion [18]. The video presents short are likely, overall, to be less inter-
Ethics. Analysis of the guidance summaries of three whistle-blowing ested in the technical details of
provided by the codes of ethics cases that involve legal action under software development and testing
could be done either as an in-class the False Claims Act. It clearly and more interested in the deci-
active learning style activity or as a makes the points that whistle blow- sion-making and public policy
homework assignment. ing is often done at great personal aspects of the case. An interesting
cost, that it often involves saving discussion theme for this type of
Connection to whistle-blowing. lives as well as government money, course may be the politics/technol-
While Parnas’ actions are com- and that it requires gathering and ogy decision-making conflict men-
monly referred to as whistle-blow- presenting information carefully. tioned earlier. That is, what are the
ing, this case does not at all present Importantly, the video also presents implications of making a political
a typical whistle-blowing scenario. some of the history of, and motiva- decision to pursue a system that is
If anything, this incident may have tion for, the False Claims Act (orig- doomed to failure on technical
increased Parnas’ professional inally adopted under Abraham Lin- grounds? What is the responsibility
stature and visibility. Students coln). The video is just over to make the technical assessment of
should not be left with the impres- seventeen minutes long. A short the project known to the public?
sion that the typical whistle-blow- review of the video and suggestions What it the responsibility of techni-
er fares so well. It is important that for using it in class can be found at cal professionals working on such a
students also see a more standard www.cse.nd.edu/~kwb/nsf-ufe/. project – does pursuit of quality
treatment of whistle blowing [15]. standards still have meaning?
There are several good whistle- Use in a software engineering
blowing case studies of relevance course. CHALLENGING REAL-
to students in computing and infor- When the module is used in a WORLD PROBLEM
mation systems majors. One is the software engineering course, there Safety-critical software is an
case of Goodearl and Aldred ver- will likely be relatively more time important topic for courses in
sus Hughes Aircraft [13]. This case spent on the software testing issues ethics and computing, computers
study involves (lack of) testing of and relatively less on the ethics and society, software engineering,
hybrid computer chips used in mil- issues. It is important that the technology and public policy, and
IEEE Technology and Society Magazine, Spring 2002 25other related areas. The missile ACKNOWLEDGMENT indecision,” ACM SigSoft Software Engineer-
ing Notes, vol. 24, no. 4, pp. 47-49, July 1999.
defense problem presents the most Special thanks are due to David [9] W.J. Broad, “Scientist at work: Philip E.
challenging real-world software Parnas and Chuck Seitz for reading Coyle III; Words of caution on missile
engineering problem imaginable – and commenting on earlier drafts defense,” New York Times, Jan. 16, 2001.
[10] R.J. Smith, “Bad weather, computer
to interpret real-time sensor data of this paper. It was Chuck Seitz’ woes delay laser test,” The Washington Post,
taken under natural conditions and suggestion to include copies of the Oct. 8, 1997.
appropriately handle an attack by Eastport Report and the OTA [11] “Possible Soviet responses to the U.S.
Strategic Defense Initiative,” Central Intelli-
an intelligent adversary likely to report with the other materials for gence Agency memo NICM 83-10017, Sept.
employ strategies that have not the module. 12, 1983. Available at http://www.fas.org/
been fully anticipated. The curren- Professors Robin Murphy and spp/starwars/offdocs/m8310017.htm
[12] “The SDI imperative” (editorial), Na-
cy of the national missile defense Bill Albrecht at USF, Don Gotter- tional Review, Feb. 22, 1999.
problem makes analysis of this barn at ETSU, Doris Appleby at [13] K.W. Bowyer, “Goodearl and Aldred
Reagan-era SDI case study highly Marymount College, and Gordon versus Hughes Aircraft: A whistle-blowing
case study,” Frontiers in Education (FIE
relevant for today’s students. The Hull at Vanderbilt provided valu- ‘00), pp. S2F-2-S2F-7, Oct. 2000.
historical view of over fifteen years able feedback from classroom-test- [14] “Former engineer says company faked
should allow a more objective eval- ing an early draft of this module, tests,” The Tampa Tribune, Mar. 7, 2000.
[15] K.W. Bowyer, Ethics and Computing:
uation of the issues. The basic resulting in a number of improve- Living Responsibly In A Computerized
technical issues still apply to any ments. Thanks are also due to an World, 2nd ed. New York, NY: IEEE/Wiley,
system envisioned today. anonymous reviewer who provided 2001.
[16] K.W. Bowyer, “Resources for teaching
This case study allows opportu- several excellent suggestions for ethics and computing,” J. Information Sys-
nities for extended critical-thinking revisions that have been incorpo- tems Education, vol. 11, no. 3-4, pp. 91-92,
exercises, including the develop- rated into the final version. Summer-Fall 2000.
[17] Software Engineering Code of Ethics,
ment of summary pro/con argu- Christine Kranenburg and Laura IEEE Computer Society web site:
ments and the design and evalua- Malave provided substantial assis- http://www.computer.org.
tion of system testing plans. It also tance in creating the PowerPoint [18] Taxpayers Against Fraud, Fighting
Fraud: Citizen Action and the Qui Tam Rem-
allows opportunity for analysis of and digitized video to support the edy, VHS format video tape can be ordered
how the professional codes of use of this module. The idea to from www.taf.org. Taxpayers Against Fraud,
ethics deal with the issues develop a curriculum module on The False Claims Act Legal Center / 1220
19th Street, NW, Suite 501 / Washington, DC
involved, and connection to whis- this topic was originally suggested 20036.
tle-blowing topics. For advanced to me by Joe Wujek at one of the [19] 60 Minutes II, America’s Dream
students in computing majors, it NSF-sponsored UFE workshops. Defense, originally aired Dec. 26, 2000.
Transcript available from CBS News through
can be used to provide motivation Burrell’s Information Services. 1-800-777-
for discussion of concepts such as REFERENCES 8398.
fault-tolerance in software, consis- [1] R. Reagan, “Address to the nation on [20] K.W. Bowyer, “ ‘Star Wars’ revisited –
national security,” Mar. 23, 1983, VHS A continuing case study in ethics and safety-
tency in distributed databases, and video, The Reagan Library, 40 Presidential critical software,” in Proc. Int. Symp. Tech-
the Byzantine agreement problem. Drive, Simi Valley California, 93065-0699. nology and Society 2001 (ISTAS ’01), July
This curriculum module is being http://www.reagan.utexas.edu/. 2001. A shorter version also appears in Fron-
[2] D.L. Parnas, “Software aspects of tiers in Education 2001 (FIE ’01).
made available free of charge for strategic defense systems,” Communica- [21] F.P. Brooks, The Mythical Man-Month.
use in academic teaching. The tions of the ACM, vol. 28, no. 12, pp. 1332- Reading, MA: Addison-Wesley, 1995.
materials may be down-loaded 1335, Dec. 1985. [22] Eastport Study Group, Summer Study
[3] D.E. Mosher, “The grand plans,” IEEE 1985: Rep. to the SDIO Director, Dec. 1985.
from the web site http://www.cse. Spectrum, vol. 34, no. 9, pp. 28-39, Sept. [23] U.S. Congress, Office of Technology
nd.edu/~kwb/nsf-ufe/starwars/. 1997. Assessment, Ballistic Missile Defense Tech-
This web site also contains a wealth [4] Special issue on ballistic missile defense, nologies, OTA-ISC-254. Washington, DC:
IEEE Spectrum, vol. 34, no. 9, Sept. 1997. U.S. Government Printing Office, Sept.
of other materials created under [5] The Association of Information Technol- 1985.
partial sponsorship of an NSF DUE ogy Professionals (AITP). Web site [24] “U.S. may deploy defenses untested,”
grant on teaching ethics and com- http://www.aitp.org. Tampa Tribune, June 8, 2001.
[6] DOD Ballistic Missile Defense Organiza- [25] “Bush missile plan faces huge obstacle,”
puting. Also, faculty may obtain a tion (BMDO). Web site http://www.acq.osd. Tampa Tribune, June 9, 2001.
copy of the material by sending two mil/bmdo/. [26] Comments by Newt Gingrich in the
blank CDs to the author, with [7] W. Panofsky, “Nuclear offense versus transcript of National Public Radio’s “All
defense,” Science, vol. 291, no. 23, Feb. Things Considered,” July 18, 2001. Avail-
stamped, self-addressed return 2001, 1447. able through http://www.npr.org/about/
mailing container. [8] D.L. Parnas, “Parnas on Parnas: A life of transcripts/index.html
26 IEEE Technology and Society Magazine, Spring 2002You can also read
