There was an immediate circling of the wagons late last week after Lt Gen Chris Bogdan, Joint Strike Fighter program director, took a shot at his contractors’ security measures in a Senate hearing. The government side of the program, Bogdan said, had “implemented robust security measures over the past five years” and together with international government partners “recognized the huge responsibility” of protecting the project’s technology.
But then Bogdan added "I'm a little less confident about industry partners to be quite honest with you ... I would tell you I'm not that confident outside the department."
Industry spokesmen were quick to dispute Bogdan’s statement, and even JSF program office media representative Joe DellaVedova seemed to be walking them back, telling Reuters: "The F-35 is no more or less vulnerable to known cyber threats than legacy aircraft were during their initial development and early production.”
As I believe the kids say on the Intertubez these days: LOL WUT?
What JSF-world calls legacy aircraft – F-16s and F-15s – went through initial development and early production in the 1970s when we didn’t know what cyber-anything was (apart from villains on Dr Who), technical data was stored on sheets of Mylar, and Boris Badenov had a Minox tucked in his sock. Perhaps there was some GRU project to insert radio transmitters and keystroke monitors into IBM Selectrics that we didn’t know about. DellaVedova did not respond to a request to clarify this comment.
But as a government official familiar with cyber threats and Air Force programs points out, “for the program manager to reach a threshold of worry where he'll say that to Congress, no less, he's got serious issues on his hands.”
Bogdan also knows what anyone listening who has studied security and cyberespionage to any degree understands: Industry has far more people and a consequently larger “attack surface” than government in the JSF program, so it is of little use if government security is strong, if industry’s is lacking. This also sounds like a wider issue than the security vulnerabilities that forced a redesign of the JSF’s massive Autonomic Logistics Information System over the last couple of years.
It’s also a matter of concern that there is still a JSF security issue on this scale, four years after the program was reportedly hacked and the Advanced Persistent Threat – basically, Chinese-based computer network exploitation – was first identified. But as some experts noted at the time, the JSF program’s information system is huge and spread among thousands of stakeholders, and it was designed long before the APT emerged as the menace it is.
Moreover, the recognition of the APT happened at a point in time when the JSF program was – by most recent accounts – in very poor shape. Shutting down the information system and replacing it with something more hacker-resistant was not an option.
It’s not so much technology as culture and training, as I reported a few months ago. I don’t think, for example, that any enterprise is likely to be very secure as long as people claiming to be inside it brag about their access on public message boards. (You know who you are.) Maybe if the contractors fired some of their Astroturf consultants, they could free some resources to fix the problem.