Dbytc9p5 1421718901

Hacking the secrets of Australia’s Joint Strike Fighter

An F-35A Joint Strike Fighter on a night mission in the US. Flickr/Lockheed Martin

Hacking the secrets of Australia’s Joint Strike Fighter

Design details of Australia’s new F-35 Joint Strike Fighter (JSF) have been stolen by Chinese spies, according to reports this week, although it’s not clear whether the information was highly classified or not.

But this isn’t the first time information on the JSF has been stolen – it’s just one among a long history of security breaches over the aircraft and its manufacturer Lockheed Martin.

In May 2013, the Washington Post reported that information on more than two dozen weapon systems were compromised by Chinese hackers, including ballistic missile defence systems, the V-22 Osprey tilt-rotor transport and the US Navy’s new Littoral Combat Ship.

The list also includes aircraft which Australia does or will operate: the Black Hawk helicopter, the P-8A Poseidon maritime patrol aircraft, the F/A-18 fighter, EA-18 Growler electronic warfare aircraft, the C-17 Globemaster III heavy transport as well as the JSF.

This is vast range of stolen information and is not likely to be from a single incident, but a culmination of hacks and other thefts over a few years.

For example, in March 2011 the Pentagon admitted that 24,000 files were stolen from a US defence contractor. In May 2011, Reuters reported that the security systems of JSF manufacturer Lockheed Martin and other military contractors were broken into by hackers using duplicate “SecurID” electronic keys, but it was not clear what, if any, information was stolen.

Release going on for years

The JSF has been the subject of the theft or unintentional release of confidential or classified information at various times over the past two decades. In 1996, while Lockheed Martin, McDonnell Douglas and Boeing were in the new fighter competition, the Pentagon’s JSF Program Office inadvertently released Lockheed’s confidential cost and pricing information to the other two competitors.

In May 2001, much to concern of the US, a petty thief stole a laptop from a British military officer in London. The laptop, which was eventually recovered by the British Ministry of Defence, contained details of progress on the development of the JSF.

In 2009, the Wall Street Journal reported that hackers had been breaking into the JSF project since 2007, and:

[…] appear to have been interested in data about the design of the plane, its performance statistics and its electronic systems.

The report continued:

The intruders compromised the system responsible for diagnosing a plane’s maintenance problems during flight […] [the] plane’s most vital systems – such as flight controls and sensors – are physically isolated from the publicly accessible internet.

At the time, Lockheed and the US Department of Defense downplayed the seriousness of the report. A Lockheed official was reported to have said:

Representation of successful cyber attacks on the F-35 [JSF] program [are] incorrect.

This was amended with the statement:

To our knowledge there has never been any classified information breach [despite] attacks on our systems continually.

A Pentagon spokesperson said there was “no special concerns”. Similarly, the Australian Department of Defence was reported to have said that:

[…] it has spoken with US Defence officials and Lockheed Martin about the alleged breach, but says extra sensitive data is not kept on systems connected to the internet.

Investigating the thefts

In the prologue to his 2014 book @War: The Rise of the Military-Internet Complex, Shane Harris provides details on the investigation into the security breaches. Harris said that the hackers were operating for months before anyone had noticed.

The US Air Force worked out that the information wasn’t taken from a military computer, and investigators began to look at the computer systems of contractors. Harris writes that the US Air Force brought in its own hacker to investigate but when he arrived at the Lockheed office he was greeted not by officials overseeing the JSF construction, but by the company’s lawyers.

The US air force top generals demanded that Lockheed and other contractors cooperate with the investigation which eventually discovered that Lockheed’s network had been “breached repeatedly”.

They couldn’t say precisely how many times, but they judged the damage as severe, given the amount of information stolen and the intruders’ unfettered access to the networks. In the entire campaign, which also targeted other companies, the spies had made off with several terabytes of information on the jet’s inner workings.

If events of the past year are any indication, electronic theft of JSF information has been much more successful than the physical theft of information. In January 2014, US citizen Mozaffar Khazaee was arrested after trying to send items to Iran including:

[…] numerous boxes of documents consisting of sensitive technical manuals, specification sheets, and other proprietary material for the F-35 [JSF].

The shipment included:

[…] thousands of pages of documents, including diagrams and blueprints of the high-tech fighter jet’s engine.

In July 2014, the US Justice Department charged Su Bin, a Chinese citizen who was living in Canada, with stealing sensitive information about Boeing’s C-17 and Lockheed’s F-22 and F-35 JSF. Working with two co-conspirators in China, Su was breaking into Boeing and Lockheed computers between 2009 and 2013.

In November 2014, Chinese national Yu Long was arrested while carrying:

[…] sensitive proprietary information on titanium used in a US Air Force program, most likely the F-35 Joint Strike Fighter.

Secret or sensitive information?

In the 2014 cases outlined above, it is important to note the term “sensitive” as opposed to classified or secret. The information may be commercially confidential, but not classified at a national security level.

And so too, it is not clear from the reports this week if classified information has been stolen on the JSF. The slide in question, published by the German newspaper Der Speigel, is marked “Secret”, the whole presentation “Top Secret”, but the (U) for each piece of information indicates “Unclassified”.

What is not known is the security classification of the information stolen, as opposed to classification of the slide itself. Lockheed and Pentagon officials who stated in 2009 that no “classified” information was stolen may be technically correct, but it is still problematic.

In 2013, US Defence acquisitions chief Frank Kendall admitted to a Senate hearing that:

A lot of [unclassified information] is being stolen right now and it’s a major problem for us.

Kendall was not primarily concerned that the loss of information would make the JSF vulnerable to attack, but rather that it:

[…] reduces the costs and lead time of our adversaries to doing their own designs, so it gives away a substantial advantage.

What now for Australia’s JSF plan?

So what does all this mean for Australia’s commitment to the JSF? The federal government has committed to buying 72 of the F-35A version of the JSF at a total cost of A$12.4-billion, with the first to be operational by 2021.

For decades, a pillar of Australia’s defence policy has been possessing a technological edge over other nations in the region. It’s paid a significant premium to maintain that edge with the JSF but the theft of information, even unclassified information, erodes the technological edge in terms of quality and timeframes.

That being said, the JSF is much more than a weapons system. It is an enabler of networked information warfare, and it is the information’s technological edge which is critically important. Information warfare is the process of protecting one’s own sources of battlefield information and, at the same time, seeking to deny, degrade, corrupt, or destroy the enemy’s sources of battlefield information.

It is not clear if the electronic and information warfare capabilities of the JSF have been compromised. But China has demonstrated its adeptness in cyberespionage, and it would be concerning if this was indicative of China’s capabilities for electronic and information warfare.

Apart from increasing security measures, the theft of data of the past decade does not have significant short-term consequences for the US or Australia. But the long-term consequences remain unknown, at least until the capabilities of the JSF are fully developed, and we learn more about the Chinese fighters under development.