It appears that major threats to the survivability of critical infrastructure applications cannot be ruled out. The profound consequences of failures of these systems demands that survivability be addressed urgently. In addition to external terrorist and other threats, the ability of critical systems to continue to provide service is threatened by non-malicious processes of inadequate software engineering, and, especially, the degradation of desired system properties that generally accompanies software evolution.