Reports of Cyberthefts From F-35 Program
The F-35 stealth fighter family is the largest defense program in the world, with estimated total costs of about $300 billion for development and for all planned aircraft. That program size, the number of countries participating, and the level of length of their commitment to a single aircraft type also makes it one of the world’s most important future weapons. The F-35 designs’ future success or failure on the battlefield are consequential enough that failure could alter regional, and even global, balances of power.
In May 2008, POGO obtained a Department of Defense (DoD) Inspector General (IG) report suggesting that “advanced aviation and weapons technology for the JSF program may have been compromised by unauthorized access at facilities and in computers at BAE Systems…”, and documenting lack of cooperation with the Defense Security Service from BAE. Now a Wall Street Journal report, filed in the wake of its revelations that crackers have infiltrated the USA’s power grid and left behind malicious software, reveals thefts from the F-35 program as well.
In October 2008, the DoD Inspector General removed its report about BAE, on the grounds that they lacked “sufficient appropriate evidence” that advanced technology and classified information may have been compromised. Now, a Wall Street Journal report maintains that:
“Computer spies have broken into the Pentagon’s $300 billion Joint Strike Fighter project… intruders were able to copy and siphon off several terabytes of data related to design and electronics systems… Six current and former officials familiar with the matter confirmed that the fighter program had been repeatedly broken into. The Air Force has launched an investigation.
…The intruders compromised the system responsible for diagnosing a plane’s maintenance problems during flight… [the] plane’s most vital systems — such as flight controls and sensors — are physically isolated from the publicly accessible Internet… intruders entered through vulnerabilities in the networks of two or three contractors…”
BAE Systems is one of the 3 biggest contractors in the F-35 Joint Strike Fighter program, alongside Northrop Grumman and below program lead Lockheed Martin. Within the information accessible from the Internet, the Wall Street Journal adds that the crackers:
“…inserted technology that encrypts the data as it’s being stolen; as a result, investigators can’t tell exactly what data has been taken… Investigators traced the penetrations back with a “high level of certainty” to known Chinese Internet protocol, or IP, addresses and digital fingerprints that had been used for attacks in the past, said a person briefed on the matter.”
The Pentagon initially said that they were “not aware of any specific concerns” regarding compromised information, then said that it would not comment on “alleged or actual cyber infiltrations, potential impacts to DoD operations, or any possible investigations,” in order to deny outsiders information about what it knew. A policy of that kind can certainly be used for denial and obfuscation. On the other hand, telling hostile outsiders about the breaches you’re aware of can suggest which of their breaches you may not be aware of, providing enemies with important and potentially damaging information.
Lockheed Martin is quoted by Reuters as saying that “We actually believe the Wall Street Journal was incorrect in its representation of successful cyber attacks on the F-35 program.” CFO Bruce Tanner added on a subsequent conference call that “to our knowledge there’s never been any classified information breach.”
Of course, it is quite possible for the Wall Street Journal and Lockheed Martin’s CFO to both be correct. As the recent P2P security breach involving VH-60 Presidential Helicopters demonstrated, it is quite possible to have a security breach that exposes files to hostile individuals or regimes, but none of it is classified information in the strict sense of the term.
The gathering evidence of genuine security threats involving classified files and critical national infrastructure, however, is likely to raise the profile of programs like the USA’s government-wide cybersecurity initiative.
- POGO (April 21/09) – News Reports Confirm POGO’s Exposure of Computer Spies: Joint Strike Fighter Program Security Compromised. Includes links to the Inspector General report, and the subsequent retraction.