You are on page 1of 24

Patriot Missile Defense

:
The US Response to the Patriot’s Deadly Software Bug Nick Pafundi CSC 300-01 January 4, 2010

Abstract Fatal Defect by Ivars Peterson gives many examples of software causing physical and financial harm to people. Medical devices, defense equipment, and financial software have all failed, causing harm and death to hundreds of people. The Patriot Missile system, designed in 1969 and produced in 1976, is a defensive weapon used by the United States and other allied countries. The Patriot Missile system uses a combination of high-performance radar and interceptor missiles to perform anti-ballistic missions and defend the airspace in critical military installations. In 1991, a software bug was found in the Patriot Missile system. This bug – a software timing issue – caused the Patriot Missile to miscalculate trajectories of airborne threats, therefore not intercepting them properly. Because of this bug, there was at least one case where many soldiers died because a Scud missile was fired into a military base without being intercepted. The Israelis had identified this problem and informed the United States Army, but the US Army continued using the Patriot Missile System without attempting to resolve the issue or informing the Patriot users. A few days later, a Scud missile hit a US Army barracks in Dhahran, Saudi Arabia, killing twenty-eight soldiers. The US Army’s response to finding the bug in the Patriot Missile system was unethical under many principles, as this paper will discuss.

Contents
1 Facts 2 Issue 3 Importance 4 Arguments 4.1 Ethical . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 No Expectation of Scud Interception . . . . 4.1.2 No Expectation of Extended Operation . . . 4.1.3 “IDF Should Have Done More” . . . . . . . 4.2 Unethical . . . . . . . . . . . . . . . . . . . . . . . 4.2.1 Prior Knowledge of Bug from Israeli Defense 4.2.2 United States Army Incompetence . . . . . 4.2.3 Deaths Caused by Patriot Missile Bug . . . 3 6 6 7 7 7 7 7 8 8 8 8 9 9 9 10 11 12 13 14 14 14 15 16 18 18 18 18 19 20 21

. . . . . . . . . . . . . . . . . . . . Force . . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

5 Analysis 5.1 Software Engineering Code of Ethics . . . . . . . . . . . . . . . . . . . . . . 5.1.1 Introduction: SE Code of Ethics . . . . . . . . . . . . . . . . . . . . . 5.1.2 No Expectation of Scud Interception . . . . . . . . . . . . . . . . . . 5.1.3 United States Army Incompetence . . . . . . . . . . . . . . . . . . . 5.1.4 Deaths Caused by Patriot Missile Bug . . . . . . . . . . . . . . . . . 5.1.5 Conclusions from the SE Code of Ethics . . . . . . . . . . . . . . . . 5.2 Utilitarianism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.1 Introduction: Utilitarianism . . . . . . . . . . . . . . . . . . . . . . . 5.2.2 Deaths Caused by Patriot Bug and Prior Knowledge of Bug from IDF 5.2.3 Scud Interception Rate . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.4 Cost of Life vs Cost of Fixing the Problem . . . . . . . . . . . . . . . 5.2.5 Conclusions from Utilitarianism . . . . . . . . . . . . . . . . . . . . . 5.3 Deontology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3.1 Introduction: Deontology . . . . . . . . . . . . . . . . . . . . . . . . . 5.3.2 Prior Knowledge of Bug from IDF: Negative Formulation . . . . . . . 5.3.3 Prior Knowledge of Bug from IDF: SE Code by Deontology . . . . . . 5.3.4 Conclusions from Deontology . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion

1

Facts
The Patriot Missile is a long-range surface-to-air air-defense system with the primary

mission of protecting United States and allied troops from enemy aircraft and missiles. 1 The Patriot Missile system was originally designed in the late 1970’s as an antiaircraft weapon, but later modified to also protect against cruise missiles and short range ballistic missiles. 2;3 The Patriot Missile system consists of multiple parts, which together form a cohesive defense platform. 4 The Patriot Missile contains a ground radar which scans the airspace above for airborne threats, such as enemy planes or missiles. A control computer inside the Patriot’s control station “obtains target information from the system’s radar,” and uses the data to “identify, track, and intercept” these threats. 4 After validating that a threat exists, the Patriot enters a “tracking” mode that only scans a specific area for the threat, known as the “range gate.” 4 If the threat leaves this range gate, the Patriot will not be able to properly track the threat. 4 Army Officials have stated that Patriot Missiles have successfully intercepted 24 of 85 Scud missiles, and an even higher percentage of enemy aircraft, 5 though other sources claim only 77 Scud engagements. 6 During the Gulf War, the Patriot’s primary mission was to shoot down incoming Iraqi Scud or “Al-Hussein” missiles launched at United States troops, allied troops, and civilians in Israel and Saudi Arabia. 2 The United States Army claimed an interception success rate of 70% in Saudi Arabia and 40% in Israel 2;3 , but “the Army did not collect performance data during Operation Desert Storm that would permit an absolute determination of how many of its targets the Patriot killed or failed to kill because it was operating in a war zone rather than on a test range.” 3 The General Accounting Office of the United States produced a report that the Patriot Missile system was intended to be a mobile defense platform to protect against Soviet medium- and high-altitude aircraft and cruise missiles traveling at speeds up to MACH 2 (1500mph). Scud missiles fly at approximately MACH 5 (3750 mph), so the United States Army relied on operational experience of Patriot users and other intelligence sources to mod3

ify the Patriot system to provide the capability to intercept these missiles. 4 These changes were designed and incorporated in Patriot Missile systems in less than one week. 3 Prior to the Gulf War, the Patriot Missile system had never been tested in combat, nor against Scud missiles. 2;4 The Patriot was intended to be constantly relocated to avoid detection by enemy aircraft, never staying in one place for more than a few hours. During the Gulf War, some Patriot Missile batteries (groups of multiple Patriot Missiles and controllers) in Saudi Arabia were left operational in one location, Dhahran, Saudi Arabia, for many days. 4 Operators were not trained as thoroughly as expected, and some operators caused Patriots to malfunction by “pressing the wrong buttons.” 7;8 The Israeli Defense Forces (IDF) recorded and analyzed data while using the Patriot Missile system, and found an anomaly in data they collected. 4 The IDF data indicated a loss of system accuracy “after the system had been running for 8 consecutive hours”; this data was promptly sent to the US Army. 4 This inaccuracy occurred when the system time (an integer) and velocity (a whole number) were converted to real numbers for tracking calculations. Converting these numbers required high precision, but the registers in the computer could only store 24 bits of data, resulting in a loss of accuracy. As the “uptime” (time the system was in operation) of the system increased, the precision of the calculation decreased dramatically. 4 The IDF noticed that after eight hours of operation (28,800 seconds), the calculated time would be 28799.9725, an inaccuracy of .0275 seconds. 4 Due to the system’s inaccuracy, the range gate calculated by the Patriot is off by approximately seven meters after one hour. This inaccuracy increases as a function of time, and after eight hours of continuous operation, the range gate will have shifted by 55 meters (a 20% shift). A target must be near the center of this range gate to properly be tracked and intercepted, and a shift in the range gate would cause a target to be off-center. 4 The data of this inaccuracy was received by the United States Army on February 11, 1991. 4 When this intelligence was received, US Army officials said “they believed the Israeli

4

experience was atypical – they assumed other Patriot users were not running their systems for 8 or more hours at a time.” 4 Because of this, the US Army did not immediately alert Patriot users of the software bug. 4 A software update was necessary for the Patriot’s Scud missile tracking to be more accurate, and the Army implemented the fix five days after the data was released; February 16, 1991. In addition, the data provided by the IDF identified a temporary solution to the problem – restarting the Patriot’s control computer would reset the system time to zero, which would cause the inaccuracy to be zero. If the control computer was restarted every eight hours, the inaccuracy would be small enough that the Patriot could still track incoming Scud missiles. 4 Though a patch was created and a temporary solution was identified, Army officials did not release this patch, nor did they send a message to Patriot users informing them of the problem or temporary solution. 4 On February 21, 1991 (ten days after the original problem had been identified, and five days after the patch was created), the Patriot Project Office sent a message to Patriot users. The message stated that “very long run times” could cause a shift in the range gate, resulting in the “target being offset.” The message told users that an update would be sent that could improve the system’s targeting, but there was no mention of what constituted a “very long run time.” 4 Army officials did not provide more information or guidance, under the assumption that Patriot systems would not be in one location for extended periods of time. 4 Therefore, Patriot users did not know that restarting control computers would temporarily fix this problem; a solution that takes sixty to ninety seconds to perform. 4 Six Patriot Missile batteries protected the air fields and sea ports of Dhahran, Saudi Arabia. The Dhahran Air Base was under the protection of Alpha Battery. On February 25, 1991, Alpha Battery had been in operation for over 100 consecutive hours. The inaccuracy of the time calculation caused the range gate to be shifted by 687 meters. Consequently, Alpha Battery did not engage a Scud missile fired at the Air Base. This Scud struck a United States Army barracks, killing twenty-eight American soldiers. 4

5

On February 26, 1991, one day after the attack, the modified software arrived in Dhahran. 4

2

Issue
Was the United States Army’s response to the 1991 bug found in the Patriot Missile code

ethical?

3

Importance
Determining whether or not the response by the United States to the bug found in the

Patriot Missile system was ethical is important for a couple reasons. First, software engineers are commonly asked to create safety-critical software when it may not be possible to do so. 8 Software engineers still attempt to implement these “impossible” jobs because they believe it is possible or they do not fully understand the specification. 9 The United States Army wanted the Patriot to have functionality to intercept Scud missiles, and wanted this functionality to be implemented quickly. 4 Knowing the effect this decision had on the United States Army can show us whether this decision was ethical or unethical, and the results can then be used to make future decisions. Additionally, the United States response to the bug had large implications, especially to the soldiers who died in the Scud attack. If the United States Army had taken an ethical course of action, these soldiers may not have been killed in the attack. After determining the ethicality of the US Army’s response to the bug, their decision can be used as a basis to help judge future decisions in related areas. Because software played a big role in these decisions, the unethicality of the US response may translate to unethical software practices, which may have been the root cause of death for the twenty-eight soldiers.

6

4
4.1
4.1.1

Arguments
Ethical
No Expectation of Scud Interception

There are multiple arguments that display the ethicality of the United States response to the 1991 Patriot Missile software bug. First, when the Patriot Missile system was created, it had the primary mission of targeting soviet high- and medium-altitude aircraft and cruise missiles flying at relatively slow speeds of MACH 2 (approximately 1500 mph). At the time, there was no expectation that the Patriot would be used to intercept Scud missiles, which fly two and a half times faster, approximately 3750 mph. 4

4.1.2

No Expectation of Extended Operation

The Patriot Missile system was not created to intercept Scud missiles, but rather it was intended to be used as a mobile defense platform. To avoid detection, the Patriot was expected to stay in one position for only a short period of time, no more than a few hours. 4 The Patriot Missile system in Dhahran, Saudi Arabia had been operational for more than 100 hours without moving, which was not intended. 4

4.1.3

“IDF Should Have Done More”

Another argument states that the Israeli Defense Forces should have done more to inform the United States Army about the urgency of repairing the software. The IDF sent intelligence to the United States Army on February 11, 1991. This intelligence contained data that clearly displayed the inaccuracy in the Patriot Missile, however the IDF did not follow up with the United States Army to try to correct the problem. 4

7

4.2
4.2.1

Unethical
Prior Knowledge of Bug from Israeli Defense Force

The United States response may also be considered unethical after looking at different facts. Two weeks prior to the Dhahran incident, the United States Army received intelligence from the Israeli Defense Force stating that there was a lack of accuracy when the Patriot Missile was operational for extended periods of time. 4 Additionally, it was known that rebooting the Patriot every eight hours would reset the system clock, effectively reducing the inaccuracy. The United States had this information, but did not act to correct the issue immediately. 4

4.2.2

United States Army Incompetence

When the United States Army received Israeli intelligence consisting of bug data collected on multiple Israeli Patriot Missiles, the US Army said they “believed the Israeli experience was atypical.” 4 They assumed operators of other Patriot Missiles were not running their systems for 8 or more hours at a single time. Because of this, the US Army didn’t immediately alert Patriot users of the flaw. Not a single message was sent to the users for six days, and even then the tone of the message did not convey urgency to Patriot users 4

4.2.3

Deaths Caused by Patriot Missile Bug

Finally, though there have been many reported incidents with the Patriot Missile system 10 , only one is known to have resulted in the death of twenty-eight soldiers in the United States Army. 4 If these soldiers were only killed due to a software error in the Patriot Missile system, their death is unacceptable and may be considered unethical.

8

5

Analysis
To determine the ethicality of the United States Army’s response to the Patriot Missile

software bug, a variety of arguments and analyses will be presented. The Software Engineering Code of Ethics will be examined, in addition to both Utilitarian and Deontological ethical principles. After appropriate arguments are provided, a conclusion will be drawn from the results.

5.1
5.1.1

Software Engineering Code of Ethics
Introduction: SE Code of Ethics

In this section, multiple arguments will be analyzed using the Software Engineering Code of Ethics. Each subsection will explain an argument and its ethicality under the guidance of the Software Engineering Code of Ethics. The SE Code of Ethics contains many important ethical responsibilities that software engineers should have taken into account when creating the Patriot Missile system. 11 Additionally, the Preamble of the SE Code of Ethics explains that managers of software engineers are also morally bound by the SE Code of Ethics. 11 This section (5.1) will use the term “software engineer” in reference to software engineers and their managers, whether or not the managers are software engineers themselves. As the Preamble of the SE Code states, software engineers and their managers are equally responsible to uphold the SE Code of Ethics. 11 Some responsibilities may have been overlooked when implementing patches and updates in the Patriot Missile system (prior to 1991), and this section will look at each of these points. Finally, a conclusion regarding the ethicality of the United States response to finding the 1991 Patriot Missile bug will be determined using the SE Code of Ethics as a guide.

9

5.1.2

No Expectation of Scud Interception

The Patriot Missile was not intended to be used as a Scud Interceptor. 4 The Dhahran incident only occurred because a Scud missile could not be tracked properly by a Patriot Missile battery. 4 Some might argue that because the Patriot was not originally intended to intercept Scud missiles, the fact that it did not protect Dhahran from a Scud is unfortunate, but not the fault of the US Army. Though this argument seems valid, it is still flawed under the SE Code of Ethics. Point 3.15 of the SE Code states that software engineers are obligated to “treat all forms of software maintenance with the same professionalism as new development.” 11 Additionally, software engineers should “ensure adequate testing, debugging, and review of software...” (3.10) 11 The United States Army requested the capability of Scud interception to be added to the Patriot, and the software to add such functionality was implemented within one week. 3 This update may be considered “software maintenance,” while the original engineering (hardware and software) of the Patriot Missile system was “new development.” Because of the one-week period in which this update was created and implemented, it is unlikely that there would have been adequate time for testing, and the “software maintenance” (the update) would not have received the same professionalism as new development. (The Patriot Missile system was created over a period of many years, contrasted with a one-week safety-critical update.) If this update had received adequate testing, the US Army would have possibly noticed the timing bug earlier, and corrected it before this safety-critical update was implemented on Patriot batteries that were actively protecting US troops. Furthermore, the second point in the SE Code of Ethics (1.02) states that a software engineer should “moderate the interests of the software engineer, the employer, the client, and the users with the public good.” 11 This moderation is necessary when each party is interested in different results, especially if they do not align with the “public good.” In this case, the “public” consists of soldiers and civilians that the Patriot Missile is actively protecting, and the “public good” is the well-being of those people. The software engineers, 10

in this case the engineers hired by the US Army, had a responsibility to moderate, with their primary focus being the well-being of the public. In the case of the Patriot Missile, the United States Army (the “employers”) and software engineers did not have primary operational experience in intercepting Scud missiles, or knowledge of whether the Patriot Missile system would have the capability to intercept these missiles. 4 The US Army needed the Scud interception functionality to be added in a timely manner, but the SE Code explains that software engineers should be just as (if not more) concerned with public safety than their employers requests. 3;11 Specifically, the engineers should have explained to the US Army that the Army’s request (to implement the Scud interception functionality in such a short time frame) was not advisable, as there would not be adequate time for testing the upgraded software. Not testing the software is not in line with the “public good,” because the thousands of lives protected by the Patriot system are dependent on the safety-critical software. The fact that the software was updated in one week shows that there was likely not ample time to thoroughly test the upgrade. 3 Because the “public good” must come first, the software engineers should have requested more time to work on a solution; if there was not enough time to test the upgrade, this good was not moderated with the needs of employers.

5.1.3

United States Army Incompetence

Sections 1.04 and 1.05 of the SE Code of Ethics state that software engineers should be concerned with public safety. Point 1.04 states that software engineers have an obligation to “disclose to appropriate persons . . . any actual or potential danger to the user, [or] the public . . . that they reasonably believe to be associated with software. . .” 11 Breaking this point apart, some terms must be defined. For our purposes, “actual” danger can be defined as a known danger that can harm the public good and can be caused by the Patriot’s software or resulting from its use. “Potential” danger is any possible danger to the public that may occur from use of the Patriot’s software. People that have a need to know whether the software is dangerous may be considered “appropriate persons,” such as Patriot users and

11

the public that is under protection by the Patriot. If working properly, the Patriot Missile system can save lives by eliminating threats. However, no defensive weapon is foolproof, and therefore all potential hazards of the Patriot’s software should have been explained to users of the system, as well as anyone that this weapon could affect. 7 The United States Army Patriot Office was informed of the bug in the Patriot Missile software, yet they did not immediately inform Patriot users of the issue. 4 Though the US Army did eventually inform Patriot users of this bug, the information was sent out six days after it was received, and the US Army displayed no urgency in the message. 4 The message sent to Patriot users stated that “very long run times could cause a shift in the range gate, resulting in the target being offset.” 4 The message did not contain any information on what constituted a “very long run time,” because they believed that the users would not run a Patriot system for an extended period of time (eight or more hours). 4 The fact that this message was sent out six days after the intelligence was received, compounded by the fact that it did not adequately inform users of the seriousness of the issue, showed the United States Army’s incompetence in sending out necessary information. The United States Army had information regarding a serious timing bug in the Patriot Missile code. 4 The users of the Patriot Missile were not informed of the bug, as point 1.04 of the SE Code mandates, and they continued using the Patriot Missile system under the impression that they would be protected from airborne threats. Because the software engineers and US Army did not disclose the potential danger of the Patriot Missile system to the users of the system (as required by point 1.04 of the SE Code), this incompetence can be considered unethical.

5.1.4

Deaths Caused by Patriot Missile Bug

If the Patriot Missile software had been adequately tested, the timing bug may have been found earlier, and the US Army may have been able to fix the issue before attempting to implementing it into Patriot Missile batteries that were already protecting US troops

12

in combat. As described in the previous section, points 1.04 and 1.05 of the SE Code of Ethics obligate software engineers to inform the public about potential dangers in software. 11 More importantly, point 3.10 states that software engineers are required to “ensure adequate testing, debugging, and review of software...” 11 The US Army did not find this bug when they tested the patch, as described in Section 5.1.2, yet the IDF found this bug by simply recording a small amount of data when the Patriot is in use, 4 something that should have been done in the testing stage. This shows a lack of testing by the US Army’s software engineers. Additionally, as stated in Section 5.1.3, the US Army did not inform Patriot Users of the timing bug in the system. Point 1.04 of the SE Code of Ethics makes it explicitly clear that software engineers are required to disclose all potential dangers of a system to the public (and in this case, the users of the Patriot Missile). 11 Because the US Army didn’t inform the Patriot users of the bug, the soldiers in Dhahran may have felt secure, but the Patriot system was not protecting them as intended. 4 Both the lack of testing and the fact that the US Army did not immediately inform Patriot users of the bug are breaches of the SE Code of Ethics, and should be considered unethical. These unethical breaches of the Software Engineering Code of Ethics may have lead to the deaths of twenty-eight US Troops in Dhahran, Saudi Arabia.

5.1.5

Conclusions from the SE Code of Ethics

Using the Software Engineering Code of Ethics to analyze three important arguments for the ethicality of the United States response to the 1991 bug found in the Patriot Missile system, the response by the United States looks unethical. Though the Patriot was not initially expected to intercept Scud missiles, the United States requested this functionality, and did so too quickly to perform ample software testing. Additionally, the lack of communication between the US Army and Patriot users, coupled with the death of twenty-eight United States Army soldiers, are shown to be unethical when looking at the first principle of the SE Code of Ethics: public good.

13

5.2
5.2.1

Utilitarianism
Introduction: Utilitarianism

Utilitarianism can be described as “the ethical doctrine that virtue is based on utility.” 12 In other words, an action should be based upon its contribution of happiness or pleasure as summed among all people in society. In this section, the ethical principle of Utilitarianism will be used to analyze applicable arguments stated earlier in this paper. Looking at these arguments from a Utilitarian perspective will provide insight to the ethicality of the US response to the bug found in the Patriot Missile code in 1991.

5.2.2

Deaths Caused by Patriot Bug and Prior Knowledge of Bug from IDF

The Utilitarian perspective promotes happiness for the many rather than happiness for the few. Because of this, if there is a machine that can save thousands of lives, but it happens to kill one person, a Utilitarian could consider the machine ethical. The Patriot Missile is a defense weapon that has been hailed as effective against aircraft, cruise missiles, and ballistic missiles (such as the Scud). 3 During the Gulf War, the Patriot claimed a success rate of 70% in Saudi Arabia, and 40% in Israel. 3 Though the exact number of threats intercepted by the Patriot are unknown, there is recorded evidence of at least 77 Patriot Missile engagements. 6 Using this as our base value (though this is likely much lower than the actual number of engagements), we can take 40% of this number (the lower of the two accuracies listed above), which translates to successful interceptions of at least 31 threats. On February 25, 1991, a known bug in the Patriot Missile software caused the system to fail to track a Scud missile, which hit a US Army barracks and killed twenty-eight Americans. 4 This known bug was found by the Israeli Defense Forces approximately two weeks earlier, yet the Patriot Missile system was still in use. The American forces in Dhahran, Saudi Arabia didn’t realize that the Patriot that was protecting them had a software bug that would cause it to fail. The United States Army had knowledge of the Patriot’s flaw, but

14

they also knew that shutting down or recalling the Patriot system would leave US troops vulnerable to airborne threats. Because of this, the United States Army did not convey the urgency of the situation to Patriot users, believing they would still be safe, even under a flawed system. Using the numbers above, we can estimate the number of lives saved by the Patriot Missile system. If the 31 threats calculated above had hit US Army bases, and twenty-eight soldiers were killed each time (as they were in the Dhahran incident), 868 American soldiers would have lost their lives had the Patriot Missile system not been protecting them. If any of these threats had been carrying a nuclear warhead, this number would be increased many times over. From a Utilitarian perspective, the lives that were potentially saved by the Patriot Missile (868 or many more) far outweigh the ones that it didn’t save (28). Though the Patriot had a known bug, if all batteries had been recalled or forced to shut down, many more lives would have been taken than only those in Dhahran. The United States Army came to this conclusion as well, or else they would have immediately shut down or recalled all Patriot systems when the bug was found. In this way, the stance taken by the US Army can be considered ethical under Utilitarian principles.

5.2.3

Scud Interception Rate

The US Army stated that the Patriot was 70% effective in Saudi Arabia, and 40% effective in Israel. 3 However, after a ten-month investigation by the House Government Operations subcommittee on Legislation and National Security, it was concluded that there was “little evidence to prove that the Patriot hit more than a few Scuds.” 2 In the previous section, it was concluded that the US response to the Patriot missile bug was ethical because the number of lives saved far outweighs the number of lives lost due to the Patriot bug. However, because the investigation of the Patriot revealed that there was little evidence proving that it adequately protected US troops, this conclusion may be incorrect.

15

A study performed by the Committee on Government Relations “found no convicting evidence . . . that any Scud warhead was destroyed by a Patriot.” 6 If it is true that not a single Scud was destroyed by a Patriot missile, than whether or not this bug was found, it is very improbable that the Patriot in Dhahran would have protected the barracks at all. Operating a safety-critical defense weapon that cannot perform its intended mission, protecting US and allied troops, may be considered unethical, but is outside the scope of this paper. Whether or not the Patriot performed its intended action against Scud missiles, it did have a high success rate against other threats, such as aircraft and cruise missiles. 3 Because of this, the Patriot still saved many lives, as discussed in Section 5.2.2. Had the United States shut down the Patriot system to fix the bug, or had they warned users sooner, it is unlikely that the outcome in this instance would have changed – the 28 soldiers would have likely still died. However, other US troops (such as the 868 described above) would not have been protected against other threats, such as aircraft and cruise missiles. Therefore, from a Utilitarian perspective, the US Army’s response is still ethical, whether or not the Patriot performed its intended purpose against Scud missiles. It is very likely that even if the bug had not existed, the twenty-eight soldiers would have died; informing users of the bug would not have saved additional lives.

5.2.4

Cost of Life vs Cost of Fixing the Problem

Utilitarian concepts can be applied to this situation financially as well. The US Army did not immediately inform Patriot users of the bug, and did not patch it for even longer. 4 The estimated cost of training a new US Army soldier from the moment they enter a recruiter’s office until they are on active duty is between $35,000 and $50,000. 13 In the United States, the average salary for a software engineer is $86,000. 14 Breaking down this salary per day, an average software engineer makes approximately ($86, 000/yr)/(365days/yr)) = $235.62/day. As stated above, there were two weeks between the time that the US Army was informed of the change and the time that the patch arrived in Dhahran. 4 Because the exact number

16

of hours spent working on this patch is unknown, we will assume that 100% of this time was spent implementing the patch. (This is very unlikely, however we know that no more than 100% of two weeks could be spent working on this, so we can assume the “worst-case” of the full two weeks.) Additionally, the exact number of engineers that worked on this patch are unknown, so we will assume a team size of 50 engineers. (Experience says that most software engineering teams are between five and nine people, so this is very unlikely, and can be considered “worst-case.” Finally, because $235.62/day is the average salary of one US software engineer, we will triple this to get a “worst-case” salary for an engineer (i.e. a very high salary), in case these engineers were making much more than the average. $235.62/day ∗ 3 = $706.86/day. Multiplying the above “worst-case” numbers will give us a worst-case cost, or “financial utility”, of fixing the patriot missile bug: (14days ∗ 50engineers ∗ $706.86/engineer/day) = $494, 802.00. Because each of the values used was worst-case, it is likely that the cost of implementing this patch was no more than $494,802. Using the training costs of a US Army recruit above (taking the lowest possible number; $35,000) and multiplying that by the number of soldiers that were killed due to the Dhahran Patriot malfunctioning (28 soldiers), we get a cost of $980,000. This value does not take into account the cost of a soldiers life, only the cost of training (the soldier’s “financial utility”). This shows that the financial utility of the soldiers that died in Dhahran was nearly twice as much as the cost to fix the bug. It is important to note that these numbers are worstcase, and that the soldiers’ utility does not take into account the cost of a soldier’s life, and therefore it would likely be an even larger difference in cost. Because the utility of a soldier is substantially higher than the cost of patching the Patriot Missile bug, the Utilitarian conclusion in this case is that the United States Army was unethical for not immediately informing users of the Patriot bug, nor immediately fixing the problem.

17

5.2.5

Conclusions from Utilitarianism

If 868 soldiers are alive because of the Patriot Missile, but 28 are dead, Utilitarian principles say that the utility of the 868 “saved” lives outweighs the utility of the 28. Additionally, it is likely that the Patriot Missile system did not work as intended against Scud missiles, so if the US Army had shut down or recalled Patriot systems when the bug was found, the 28 soldiers would not have been saved, and more would have likely died (the 868). Looking at this, the US Army’s response to the bug seems ethical. Financially, we get a different outcome. The cost of fixing the bug was at most $494,802. The cost of training 28 soldiers is at least $980,000 (not including the “cost of life”). The financial utility of the soldiers that were killed is much higher than than the cost of fixing the bug, and because the US Army did not act immediately to fix this bug, their response was unethical.

5.3
5.3.1

Deontology
Introduction: Deontology

Deontological principles rest on the fact that some choices are morally forbidden. 15 An act itself is looked at rather than the good or bad that it may produce. In deontology, the outcome is not involved in the ethicality of an act. 15 In this section, the ethical principle of deontology will be used to analyze the ethicality of the United States response to the Patriot Missile bug found in 1991.

5.3.2

Prior Knowledge of Bug from IDF: Negative Formulation

The US Army received data that distinctly showed a flaw in the Patriot Missile code on February 11, 1991. 4 It was not until the 21st that the Patriot Missile Office sent a message to users informing them of the flaw, and they did not inform users of the temporary solution of rebooting the Patriot every eight hours to reset the system time to zero. 4

18

According to Peter Singer’s A Companion to Ethics, “deontological constraints are usually negatively formulated as ‘Thou shalt nots’ or prohibitions” 16 Singer says that according to deontological principles, “lying” and “failing to tell the truth” are very different things, and that “lying is wrong” (while telling the truth is good) but “withholding a truth which another needs may be perfectly permissible.” 16 Singer then explains that lying would be considered unethical, but withholding the truth has no ethical effect – it is neither moral or immoral according to deontology. 16 The US Army did not lie to Patriot users about the temporary solution to the bug, rather, they withheld “a truth which another need[ed]” 16 The US Army withheld information that the Patriot users should have known. According to Singer, telling the truth in this situation would be considered good (or ethical), but withholding this information would not be considered unethical. Instead, withholding this information had no ethical consequence in this situation – it was a neutral act. 16

5.3.3

Prior Knowledge of Bug from IDF: SE Code by Deontology

Under deontology, the inherent “rightness” of an act is based on conformity with a moral norm. 15 As morality differs depending on location and circumstance, the deontologist would base the ethicality of acts on moral norms in the given setting. The Software Engineering Code of Ethics is the ethical and moral standard for practicing software engineering. 11 Therefore, when an ethical situation arises, and when this situation relates to software engineering, the SE Code of Ethics must be used to deontologically determine the ethicality of the given situation. The conclusion in the previous section says that the US Army’s decision to withhold information from Patriot users was neutral, with no ethical ramifications. We determined that not withholding information would have been “good.” but withholding information was not inherently “bad.” However, as stated in Section 5.1.3 above, point 1.04 of the SE Code of Ethics requires disclosure “to appropriate persons . . . any actual or potential danger to

19

the user, [or] the public . . . that they reasonably believe to be associated with software. . .” 11 The US Army did not inform the public about the potential danger (the bug) in the Patriot Missile system. 4 Because the flaw in the Patriot was a software bug, the SE Code may be used as a basis for the deontological analysis of this issue, as determined above. We can conclude that the US Army withholding this information is in violation of section 1.04 of the SE Code of Ethics, and therefore is deontologically unethical. Because of this, it is accurate to say that had the US Army not withheld information, it would have been “good,” and withholding information would have been unethical, or “bad” according to deontology.

5.3.4

Conclusions from Deontology

The deontological perspective forbids certain acts based on their unethicality. 15 When looking at the US Army’s response to the Patriot Missile bug found in 1991, we can see that the Army responded unethically in the given situation, due to the fact that they disobeyed the SE Code of Ethics. As determined in the previous section, the SE Code can be used as a basis for deontological analyses, and in this case the US Army ignored section 1.04 of the SE Code. Though looking purely at the US Army’s response – withholding information that was needed by Patriot users – shows us that though there was no ethical wrongdoing, it was also not “ethical;” it just had no negative effect. However, because we can use the SE Code of Ethics to determine ethicality for software problems under deontology, and we know that section 1.04 was ignored, we can conclude that it was an unethical decision.

20

6

Conclusion
When the US Army was informed of a timing bug in the Patriot Missile system in

1991, they responded by fixing the bug, but not until two weeks after they received the intelligence. 4 Because of this, twenty-eight US Army soldiers were killed in Dhahran, Saudi Arabia when a Patriot lost tracking on an incoming Scud missile, which ended up hitting an Army barracks. 4 Using various ethical guidelines, it has been shown that the US Army’s response to finding this bug was unethical. Under the guide of the Software Engineering Code of Ethics, the unethicality of the US Army’s response to this bug is displayed by their disregard for multiple SE Code principles. The US Army’s software engineers did not moderate the needs of the client, employer, and users with the public good (SE Code 1.02), and because of this, twenty-eight soldiers died. Had the US Army taken more time for testing (SE Code 3.10), they would have determined this bug existed before updating all Patriot systems with the flawed patch. 4;11 Additionally, the US Army did not disclose the potential danger of the Patriot system, so users and the public were uninformed of the flaw (SE Code 1.04 and 1.05). Finally, the development of the patch created for the Patriot Missile system was not given “the same professionalism as new development” (SE Code 3.15). Had the Software Engineering Code of Ethics been taken into account rather than ignored, it is likely the timing bug would have been discovered and the lives of twenty-eight US soldiers may not have been taken. This displays the unethicality of the US Army’s response under the principles set forth in the SE Code of Ethics. Utilitarian principles say that the utility of the 868 lives potentially saved by the patriot missile outweighs the utility of the 28 killed by a bug in the Patriot’s code. Looking at this point alone, it seems like the US Army’s response (not informing users and not recalling or shutting down Patriot Missile batteries) was ethical. However, financial utility comes to a different conclusion. The cost of fixing the bug was at most $494,802 (Section 5.2.4). The cost of training 28 US Army soldiers is at least $980,000. This does not take into account the cost of life or damages done by ending a soldiers life. Because the financial utility of 28 21

soldiers is almost twice as high as the cost of fixing the bug, the US Army’s response of not immediately fixing the bug (or informing users) can be considered unethical. Because it was possible to fix the bug (and therefore it was not necessary to shut down or recall all Patriot systems), the above conclusion (that the US Army’s response was ethical) is not accurate. If the Army had acted ethically, the 868 lives would have still been saved, but the 28 soldiers who died due to this bug may also have not been killed. Because we can use the SE Code of Ethics as a basis for deontology when referring to software engineering, such as this case, and because it has been shown that the US Army ignored many SE Code principles, it can be concluded that the US Army’s response to the bug was deontologically unethical. Section 5.3.3 explained that using the SE Code as a deontological basis for this case was allowable, and because the US Army withheld information (which point 1.04 of the SE Code forbids), their response was unethical. In addition, Section 5.3.2 explained that not withholding this information would have been the ethical course of action. Each of the above points shows that the United States Army’s response to the 1991 bug found in the Patriot Missile Code is unethical. This unethicality is seen in both the US Army’s lack of responsiveness to sharing necessary information, as well as their lack of professionalism in attempting to update the Patriot without adequate testing.

22

References
[1] “Patriot missile air defence system - army technology.” [Online]. Available: http://www.army-technology.com/projects/patriot/ [2] A. Simon, “The patriot missile. performance in the gulf war reviewed,” http://www.cdi.

http://www.cdi.org/issues/bmd/patriot.html. [Online]. Available: org/issues/bmd/patriot.html

[3] “Operation desert storm: Data does not exist to conclusively say how well patriot performed,” US GAO. [Online]. Available: b250335.htm [4] “Patriot missile defense: Software problem led to system failure at dhahran, saudi arabia,” United States General Accounting Office, Tech. Rep. IMTEC-92-26, Feb. 1992. [Online]. Available: http://www.gao.gov/products/IMTEC-92-26 [5] “Patriot: The missile that missed,” New Scientist, Apr. 1992. [Online]. Available: http: //www.newscientist.com/article/mg13418171.600-patriot-the-missile-that-missed.html [6] T. A. Postol and G. N. Lewis, “Postol/Lewis review of army’s study on patriot effectiveness.” [Online]. Available: http://www.fas.org/spp/starwars/docops/pl920908. htm [7] S. A. Hildreth, “Evaluation of U.S. army assessment of patriot antitactical missile effectiveness in the war against iraq,” Apr. 1992. [Online]. Available: http://www.fas.org/spp/starwars/congress/1992 h/h920407h.htm [8] I. Peterson, Fatal Defect : Chasing Killer Computer Bugs. New York: Vantage Books, 1996. [9] J. Kruger, “Unskilled and unaware of it: How difficulties in recognizing one’s own incomhttp://www.fas.org/spp/starwars/gao/

23

petence lead to inflated Self-Assessments,” Journal of Personality and Social Psychology, vol. 77, no. 6, pp. 1121–1134, 1999. [10] J. S. Clair, “US: the fatal flaws in the patriot missile system,” Apr. 2003. [Online]. Available: http://www.corpwatch.org/article.php?id=11110 [11] “Software engineering code of ethics.” [12] “Definition of utilitarianism.” [Online]. Available: http://dictionary.reference.com/ browse/utilitarianism [13] L. D. L. Thomas II, “Is the U.S. army a business?” Dec. 2004. [Online]. Available: http://www.military.com/NewContent/0,13190,120304 ArmyBusiness-P1,00.html [14] “Software engineer salaries in united states.” [Online]. Available: {http://www.indeed. com/salary/q-Software-Engineer-l-United-States.html} [15] “Deontological ethics,” Nov. 2007. [Online]. Available: entries/ethics-deontological/#DeoOblObeLaw [16] P. Singer, A Companion to Ethics. Wiley-Blackwell, Jun. 1993. [Online]. Available: http://plato.stanford.edu/

http://books.google.com/books?id=17i10ZZu8O4C&pg=PA208&lpg=PA208&dq= deontology+on+withholding+information&source=bl&ots=q5-A4vydzd&sig= sWGcM2q4LikLozVo9OFBlxMLEf0&hl=en&ei=s-QRS-bBIo-IsgPa9ciKDw&sa= X&oi=book result&ct=result&resnum=1&ved=0CAgQ6AEwAA#v=onepage&q= &f=false

24

A L TEX