By Andrea Shalal-Esa
WASHINGTON Nov 16 When computer "hackers"
working for the U.S. Navy succeeded in breaking into the
computer logistics system that controls the Lockheed Martin Corp
F-35 Joint Strike Fighter earlier this year, they did
the company a favor: allowing it to fix a critical vulnerability
in the $396 billion program.
Now, as the Marine Corps prepares to set up its first
operational squadron of F-35s next week, some experts say other
security risks may lurk within such a large and highly networked
weapons support system.
One concern: Lockheed shored up political backing for the
F-35 by choosing suppliers in nearly every U.S. state. But
having such a large and widely dispersed group increases
exposure to cyber attacks, said Ben Freeman, national security
investigator with the non-profit Project on Government
"Even if Lockheed has top-notch cyber security, it's still
vulnerable if its subcontractors are vulnerable," he said.
The military's move toward greater use of so-called
autonomic weapons systems, which rely heavily on computers,
promises to revolutionize the way weapons are maintained and
operated, but also carries a new level of cyber risk.
And the weapons designers are having difficulty keeping up
with the hackers. While it often takes years to field new
weapons systems, cyber threats are evolving and changing on a
daily basis, said Raphael Mudge, a former Air Force engineer and
independent cyber expert.
"You have to be continually assessing the risk," he said.
The heightened concern comes as computer attacks are on the
rise. Lockheed cyber experts said Monday that the company had
seen a large increase in the number and sophistication of
attacks on its networks. It accused governments that it did not
name of targeting and breaking into the networks of its
Lockheed officials said millions of suspicious emails were
directed at the company each day, including a handful that were
considered advanced persistent threats from foreign nations.
But Lockheed's complex maintenance and support system for
the F-35, known as ALIS, or Autonomic Logistics Information
System, is under attack on another front, too.
The Pentagon is talking to Lockheed competitors this week
about running that system and others needed to operate and
maintain the new plane, in an effort to rein in F-35 maintenance
costs estimated at up to $1.1 trillion over the next 50 years.
If the Pentagon ousted Lockheed from running the system it
built, the defense giant could lose billions in anticipated
revenue. With a price tag in the billions of dollars, ALIS is
large enough to be considered a major weapons program on its
Lockheed is trying hard to hold on. It says it has fixed the
ALIS problems the Navy found and has its own cyber experts
checking its own networks and any issues involving suppliers.
Defense consultant Robbin Laird downplayed concerns about
ALIS performance or security in general, saying that all modern
weapons systems rely on computer networks and improve over time.
He said the benefits of the automated logistics systems would
pay off in huge savings over time.
Still, the Pentagon will meet this week with more than 160
companies interested in competing with Lockheed on ALIS and
other aspects of sustainment.
Joe DellaVedova, Pentagon spokesman for the F-35, said so
many companies responded to the government's invitation to a
two-day forum on procurement opportunities that a third day was
added. The goal, he said, was to inject competition into the
F-35 program to reduce its "life-cycle costs."
The F-35 program has been restructured three times in recent
years, in part to try to cut costs. Earlier this year the
Pentagon said "no more money" would be put toward cost overruns
and the military would buy fewer planes if costs rose.
The Defense Department also is bracing for sequestration, a
process that would cut the military's budget by $50 billion a
year over a decade, on top of more than $50 billion in annual
cuts already on the books.
Lockheed executives plan to attend the Pentagon meetings
this week and say the company uses competition to choose among
suppliers on the program. Its in-house work only accounts for
about 30 percent of the total cost of the plane, Lockheed says.
Laird said it made sense for Lockheed, as the jet
manufacturer, to continue running ALIS since maintenance data
could improve production and increase parts reliability. "To
treat this as if it were a classic sustainment program is to
miss the whole point," he said.
NAVY'S SURPRISE ATTACK
Lockheed runs ALIS from a large, darkened control room in
Fort Worth, Texas. ALIS gives pilots access to their mission
plans, but they don't need the system to fly the radar-evading
F-35, which will replace nearly a dozen different warplanes now
in service worldwide. However the system allows the military to
track, diagnose and predict the health of planes in the fleet,
not unlike modern "smart cars" that prompt drivers to check tire
pressure or change the oil.
Lockheed says ALIS will revolutionize the way military
airplanes are serviced and maintained, saving billions of
dollars over the life of the program.
But increased sophistication brings greater security risk.
Lockheed said it uses in-house "hackers" to test vulnerabilities
in its networks and notifies suppliers if it finds any.
Still, the company was not aware of the Navy's stealthy
penetration of the system while it was happening. Tom Burbage,
Lockheed's general manager for the F-35 program, acknowledged
that the Navy's cyber-expert "red team" took Lockheed by
"It was meant to be a covert surprise, and it was," he told
Reuters. "It's classified. It was need-to-know. We didn't know
any of the details until we eventually got people who were
cleared who got the details."
The problem the Navy exploited, according to several people
familiar with the program, centered on the fact that ALIS
includes both classified and unclassified data streams, and the
two were not properly separated to prevent intrusions.
Burbage said Lockheed developed a "fairly straightforward
fix" that did not require major adjustments to the ALIS system,
which is now at about 94 percent of its final capability. He
said the Pentagon's initial ALIS specifications did not require
separating classified and unclassified data, since cyber threats
were less prevalent in 2001 when the F-35 program began.
The latest version of ALIS has been in use at Edwards Air
Force Base in California for several months, Burbage said, and
will be used at Nellis Air Force Base in Nevada when Lockheed
delivers four F-35s for testing next month or early January.
YUMA SQUADRON LAUNCH
The Navy "hacking" had threatened to derail plans by the
Marine Corps to set up its first operational squadron of F-35
fighters at an air base in Yuma, Arizona, next week.
The Marines will be the first military service to start
using the planes, probably around 2015, because their existing
fleeting of F/A-18 fighters and Harriers is aging and expensive
"It was a serious concern. We didn't think we'd be where we
are today for another three months," said Col. Kevin Killea, who
oversees aviation requirements for the Marine Corps. He said the
system must be in place for Marine Corps pilots to begin flying
the jets at the base in December.
Marine Corps and industry officials will formally kick off
the operational squadron at the Yuma base on Nov. 20, although
they are still waiting for final approval for pilots to start
local area flights in late December.
"Everything is on schedule now," Killea said, adding
Lockheed had done "good work" to fix the logistics system and
keep the Marine Corps plans for the Yuma base on schedule.