WASHINGTON (Reuters) - When computer "hackers" working for
the U.S. Navy succeeded in breaking into the computer logistics system
that controls the Lockheed Martin Corp
F-35 Joint Strike Fighter earlier this year, they did the company a
favor: allowing it to fix a critical vulnerability in the $396 billion
program.
Now, as the Marine
Corps prepares to set up its first operational squadron of F-35s next
week, some experts say other security risks may lurk within such a large
and highly networked weapons support system.
One concern:
Lockheed shored up political backing for the F-35 by choosing suppliers
in nearly every U.S. state. But having such a large and widely dispersed
group increases exposure to cyber attacks, said Ben Freeman, national
security investigator with the non-profit Project on Government
Oversight.
"Even if Lockheed
has top-notch cyber security, it's still vulnerable if its
subcontractors are vulnerable," he said.
The military's move
toward greater use of so-called autonomic weapons systems, which rely
heavily on computers, promises to revolutionize the way weapons are
maintained and operated, but also carries a new level of cyber risk.
And the weapons
designers are having difficulty keeping up with the hackers. While it
often takes years to field new weapons systems, cyber threats are
evolving and changing on a daily basis, said Raphael Mudge, a former Air
Force engineer and independent cyber expert.
"You have to be continually assessing the risk," he said.
The heightened
concern comes as computer attacks are on the rise. Lockheed cyber
experts said Monday that the company had seen a large increase in the
number and sophistication of attacks on its networks. It accused
governments that it did not name of targeting and breaking into the
networks of its suppliers.
Lockheed officials
said millions of suspicious emails were directed at the company each
day, including a handful that were considered advanced persistent
threats from foreign nations.
But Lockheed's
complex maintenance and support system for the F-35, known as ALIS, or
Autonomic Logistics Information System, is under attack on another
front, too.
The Pentagon
is talking to Lockheed competitors this week about running that system
and others needed to operate and maintain the new plane, in an effort to
rein in F-35 maintenance costs estimated at up to $1.1 trillion over
the next 50 years.
If the Pentagon
ousted Lockheed from running the system it built, the defense giant
could lose billions in anticipated revenue. With a price tag in the
billions of dollars, ALIS is large enough to be considered a major weapons program on its own.
Lockheed is trying
hard to hold on. It says it has fixed the ALIS problems the Navy found
and has its own cyber experts checking its own networks and any issues
involving suppliers.
Defense consultant
Robbin Laird downplayed concerns about ALIS performance or security in
general, saying that all modern weapons systems rely on computer
networks and improve over time. He said the benefits of the automated
logistics systems would pay off in huge savings over time.
Still, the Pentagon will meet this week with more than
160 companies interested in competing with Lockheed on ALIS and other
aspects of sustainment.
Joe DellaVedova,
Pentagon spokesman for the F-35, said so many companies responded to the
government's invitation to a two-day forum on procurement opportunities
that a third day was added. The goal, he said, was to inject
competition into the F-35 program to reduce its "life-cycle costs."
The F-35 program
has been restructured three times in recent years, in part to try to cut
costs. Earlier this year the Pentagon said "no more money" would be put
toward cost overruns and the military would buy fewer planes if costs
rose.
The Defense Department also is bracing for
sequestration, a process that would cut the military's budget by $50
billion a year over a decade, on top of more than $50 billion in annual
cuts already on the books.
Lockheed executives plan to attend the Pentagon
meetings this week and say the company uses competition to choose among
suppliers on the program. Its in-house work only accounts for about 30
percent of the total cost of the plane, Lockheed says.
Laird said it made sense for Lockheed, as the jet
manufacturer, to continue running ALIS since maintenance data could
improve production and increase parts reliability. "To treat this as if
it were a classic sustainment program is to miss the whole point," he
said.
NAVY'S SURPRISE ATTACK
Lockheed runs ALIS
from a large, darkened control room in Fort Worth, Texas. ALIS gives
pilots access to their mission plans, but they don't need the system to
fly the radar-evading F-35, which will replace nearly a dozen different
warplanes now in service worldwide. However the system allows the
military to track, diagnose and predict the health of planes in the
fleet, not unlike modern "smart cars" that prompt drivers to check tire
pressure or change the oil.
Lockheed says ALIS
will revolutionize the way military airplanes are serviced and
maintained, saving billions of dollars over the life of the program.
But increased
sophistication brings greater security risk. Lockheed said it uses
in-house "hackers" to test vulnerabilities in its networks and notifies
suppliers if it finds any.
Still, the company
was not aware of the Navy's stealthy penetration of the system while it
was happening. Tom Burbage, Lockheed's general manager for the F-35
program, acknowledged that the Navy's cyber-expert "red team" took
Lockheed by surprise.
"It was meant to be
a covert surprise, and it was," he told Reuters. "It's classified. It
was need-to-know. We didn't know any of the details until we eventually
got people who were cleared who got the details."
The problem the
Navy exploited, according to several people familiar with the program,
centered on the fact that ALIS includes both classified and unclassified
data streams, and the two were not properly separated to prevent
intrusions.
Burbage said
Lockheed developed a "fairly straightforward fix" that did not require
major adjustments to the ALIS system, which is now at about 94 percent
of its final capability. He said the Pentagon's initial ALIS
specifications did not require separating classified and unclassified
data, since cyber threats were less prevalent in 2001 when the F-35
program began.
The latest version
of ALIS has been in use at Edwards Air Force Base in California for
several months, Burbage said, and will be used at Nellis Air Force Base
in Nevada when Lockheed delivers four F-35s for testing next month or early January.
YUMA SQUADRON LAUNCH
The Navy "hacking"
had threatened to derail plans by the Marine Corps to set up its first
operational squadron of F-35 fighters at an air base in Yuma, Arizona,
next week.
The Marines will be
the first military service to start using the planes, probably around
2015, because their existing fleeting of F/A-18 fighters and Harriers is
aging and expensive to maintain.
"It was a serious concern. We didn't think we'd be
where we are today for another three months," said Col. Kevin Killea,
who oversees aviation requirements for the Marine Corps. He said the
system must be in place for Marine Corps pilots to begin flying the jets
at the base in December.
Marine Corps and industry officials will formally kick
off the operational squadron at the Yuma base on November 20, although
they are still waiting for final approval for pilots to start local area
flights in late December.
"Everything is on
schedule now," Killea said, adding Lockheed had done "good work" to fix
the logistics system and keep the Marine Corps plans for the Yuma base
on schedule.
(Reporting By Andrea Shalal-Esa; Editing by Alwyn Scott and Steve Orlofsky)
Post a Comment