05 March 2016

Another Strike Against the F-35

Rather unsurprisingly, it is the logistics and prognostics software, ALIS.

It has not been working right in tests, and even when it does, it means that there is effectively an off switch for any foreign buyer's aircraft located in the United States.

Now we learn that they are intending to go live with the system before testing its vulnerability to hackers: (Paid subscription required)
The F-35’s Autonomic Logistics Information System (ALIS) will deploy its next major software release—2.0.2—in July, but concerns remain about performance and security. A report by the Director of Operational Test and Evaluation (DOT&E) released in January suggests delayed ALIS software may push back U.S. Air Force initial operational capability (IOC) and that the network’s cybersecurity has become a key concern.

Lockheed Martin’s ALIS program manager, Jeff Streznetcky, says a U.S. Marine Corps exercise at Twentynine Palms, California, in December and an ongoing Air Force test program at Mountain Home, Idaho, offer more representative indications of ALIS’s readiness than the report.

“By all accounts, ALIS performed exceptionally well” at Twentynine Palms, he says, “and the reports I’m getting out of Mountain Home are similar. ALIS is doing its job supporting the warfighter and ultimately turning jets.”


Leaked National Security Agency briefing documents confirm China obtained F-35 engine schematics and radar designs after compromising program systems in the mid-2000s. Less attention has been focused on the kind of information routinely moving through ALIS, which may represent the program’s biggest threat surface.

“The Chinese see ALIS as a fantastic opportunity to enhance and improve their own fighter-aircraft capabilities,” says Bill Hagestad, a retired Marine Corps colonel and expert on Chinese cyber competencies. “But ALIS data would also be of considerable operational and strategic value to the Chinese if they were able to take a look at the disposition and laydown of deployed combat aircraft.”

According to a 2015 report by cybersecurity vendor FireEye, it takes 205 days on average for network breaches to be detected. Even if all data are encrypted, content could be inferred through analysis of network traffic patterns. Attackers can remain undetected longer if they are leveraging previously unknown vulnerabilities.

ALIS’s security is not just dependent on Lockheed’s own software and network defenses deployed on the different national and corporate systems ALIS data transits. The system incorporates a number of off-the-shelf component programs to handle logistics management and other functions: This has cut development timescales and lowered costs, but any vulnerabilities in those products become ALIS vulnerabilities.


A comprehensive, ongoing cybersecurity testing regime would appear to be a necessity. Yet the DOT&E report states: “The program currently does not plan to conduct cybersecurity penetration testing during the development of this ALIS release [2.0.2], or any future developmental releases, but will instead rely on previous, albeit limited, cybersecurity test results.”

This has not gone over well with cybersecurity experts. “Suggesting that this should be deployed before it’s properly tested and then tested after it’s deployed is backward security,” says Adriel Desautels, founder of penetration-testing specialist Netragard. “I don’t have a word strong enough to describe the level of absurdity involved with that. You can’t possibly deploy something that’s this sensitive and just have blind faith that you won’t get hacked.
Of course, Lockheed-Martin and the Pentagon maintain that they will deal with any potential vulnerabilities as soon as they get a round to it.

They want to get the aircraft into the field and have a large captive market before people realize that the aircraft is an unaffordable dog.

Ship, then fix.

As any computer gamer knows, there is a a whole world of grief that comes from this arrangement.


Post a Comment