WASHINGTON (Reuters) - When computer “hackers” working for the U.S. Navy succeeded in breaking into the computer logistics system that controls the Lockheed Martin Corp F-35 Joint Strike Fighter earlier this year, they did the company a favor: allowing it to fix a critical vulnerability in the $396 billion program.
Now, as the Marine Corps prepares to set up its first operational squadron of F-35s next week, some experts say other security risks may lurk within such a large and highly networked weapons support system.
One concern: Lockheed shored up political backing for the F-35 by choosing suppliers in nearly every U.S. state. But having such a large and widely dispersed group increases exposure to cyber attacks, said Ben Freeman, national security investigator with the non-profit Project on Government Oversight.
“Even if Lockheed has top-notch cyber security, it’s still vulnerable if its subcontractors are vulnerable,” he said.
The military’s move toward greater use of so-called autonomic weapons systems, which rely heavily on computers, promises to revolutionize the way weapons are maintained and operated, but also carries a new level of cyber risk.
And the weapons designers are having difficulty keeping up with the hackers. While it often takes years to field new weapons systems, cyber threats are evolving and changing on a daily basis, said Raphael Mudge, a former Air Force engineer and independent cyber expert.
“You have to be continually assessing the risk,” he said.
The heightened concern comes as computer attacks are on the rise. Lockheed cyber experts said Monday that the company had seen a large increase in the number and sophistication of attacks on its networks. It accused governments that it did not name of targeting and breaking into the networks of its suppliers.
Lockheed officials said millions of suspicious emails were directed at the company each day, including a handful that were considered advanced persistent threats from foreign nations.
But Lockheed’s complex maintenance and support system for the F-35, known as ALIS, or Autonomic Logistics Information System, is under attack on another front, too.
The Pentagon is talking to Lockheed competitors this week about running that system and others needed to operate and maintain the new plane, in an effort to rein in F-35 maintenance costs estimated at up to $1.1 trillion over the next 50 years.
If the Pentagon ousted Lockheed from running the system it built, the defense giant could lose billions in anticipated revenue. With a price tag in the billions of dollars, ALIS is large enough to be considered a major weapons program on its own.
Lockheed is trying hard to hold on. It says it has fixed the ALIS problems the Navy found and has its own cyber experts checking its own networks and any issues involving suppliers.
Defense consultant Robbin Laird downplayed concerns about ALIS performance or security in general, saying that all modern weapons systems rely on computer networks and improve over time. He said the benefits of the automated logistics systems would pay off in huge savings over time.
Still, the Pentagon will meet this week with more than 160 companies interested in competing with Lockheed on ALIS and other aspects of sustainment.
Joe DellaVedova, Pentagon spokesman for the F-35, said so many companies responded to the government’s invitation to a two-day forum on procurement opportunities that a third day was added. The goal, he said, was to inject competition into the F-35 program to reduce its “life-cycle costs.”
The F-35 program has been restructured three times in recent years, in part to try to cut costs. Earlier this year the Pentagon said “no more money” would be put toward cost overruns and the military would buy fewer planes if costs rose.
The Defense Department also is bracing for sequestration, a process that would cut the military’s budget by $50 billion a year over a decade, on top of more than $50 billion in annual cuts already on the books.
Lockheed executives plan to attend the Pentagon meetings this week and say the company uses competition to choose among suppliers on the program. Its in-house work only accounts for about 30 percent of the total cost of the plane, Lockheed says.
Laird said it made sense for Lockheed, as the jet manufacturer, to continue running ALIS since maintenance data could improve production and increase parts reliability. “To treat this as if it were a classic sustainment program is to miss the whole point,” he said.
Lockheed runs ALIS from a large, darkened control room in Fort Worth, Texas. ALIS gives pilots access to their mission plans, but they don’t need the system to fly the radar-evading F-35, which will replace nearly a dozen different warplanes now in service worldwide. However the system allows the military to track, diagnose and predict the health of planes in the fleet, not unlike modern “smart cars” that prompt drivers to check tire pressure or change the oil.
Lockheed says ALIS will revolutionize the way military airplanes are serviced and maintained, saving billions of dollars over the life of the program.
But increased sophistication brings greater security risk. Lockheed said it uses in-house “hackers” to test vulnerabilities in its networks and notifies suppliers if it finds any.
Still, the company was not aware of the Navy’s stealthy penetration of the system while it was happening. Tom Burbage, Lockheed’s general manager for the F-35 program, acknowledged that the Navy’s cyber-expert “red team” took Lockheed by surprise.
“It was meant to be a covert surprise, and it was,” he told Reuters. “It’s classified. It was need-to-know. We didn’t know any of the details until we eventually got people who were cleared who got the details.”
The problem the Navy exploited, according to several people familiar with the program, centered on the fact that ALIS includes both classified and unclassified data streams, and the two were not properly separated to prevent intrusions.
Burbage said Lockheed developed a “fairly straightforward fix” that did not require major adjustments to the ALIS system, which is now at about 94 percent of its final capability. He said the Pentagon’s initial ALIS specifications did not require separating classified and unclassified data, since cyber threats were less prevalent in 2001 when the F-35 program began.
The latest version of ALIS has been in use at Edwards Air Force Base in California for several months, Burbage said, and will be used at Nellis Air Force Base in Nevada when Lockheed delivers four F-35s for testing next month or early January.
The Navy “hacking” had threatened to derail plans by the Marine Corps to set up its first operational squadron of F-35 fighters at an air base in Yuma, Arizona, next week.
The Marines will be the first military service to start using the planes, probably around 2015, because their existing fleeting of F/A-18 fighters and Harriers is aging and expensive to maintain.
“It was a serious concern. We didn’t think we’d be where we are today for another three months,” said Col. Kevin Killea, who oversees aviation requirements for the Marine Corps. He said the system must be in place for Marine Corps pilots to begin flying the jets at the base in December.
Marine Corps and industry officials will formally kick off the operational squadron at the Yuma base on November 20, although they are still waiting for final approval for pilots to start local area flights in late December.
“Everything is on schedule now,” Killea said, adding Lockheed had done “good work” to fix the logistics system and keep the Marine Corps plans for the Yuma base on schedule.
Reporting By Andrea Shalal-Esa; Editing by Alwyn Scott and Steve Orlofsky