Foreign F-35 Users Spend Millions To Stop Jet’s Computer From Sharing Their Secrets

Share

Lockheed Martin has received a multi-million dollar contract for work on a firewall that will allow F-35 Joint Strike Fighter operators to prevent the transfer of potentially sensitive information that the jet’s sensors and computer brain scoop up and send back to the United States via a cloud-based network. The development comes as foreign partners in the project become increasingly worried about the data that the aircraft is collecting and storing, but concerns could remain about security breaches or if the links to the system gets cut altogether, especially in the middle of a crisis.

The Pentagon announced the deal, which came through the U.S. Navy, the service that is presently in charge of the main F-35 Joint Program Office (JPO), on Aug. 17, 2018. The Maryland-headquartered defense contractor is set to receive more than $26 million – all of which is funding from the program’s international partners – to craft what the U.S. military is calling the Sovereign Data Management (SDM) system for the Joint Strike Fighter’s Autonomic Logistics Information System (ALIS). The contract covers work through June 2020, but it’s not clear if a final version of the new data transfer setup will be ready for operational use by then.

“This effort provides F-35 international partners the capability to review and block messages to prevent sovereign data loss,” the Pentagon’s daily contracting announcement explained. “Additionally, the effort includes studies and recommendations to improve the security architecture of ALIS.”

As it exists now, ALIS harvests an immense amount of data on the aircraft’s systems, which is supposed to help ground crews identify and fix problems. It also sends that information back to the F-35 JPO and Lockheed Martin’s offices so that specialists can see if parts are wearing out as expected or if there are previously unknown, but common points of failure that might need some sort of modification or upgrade down the line. Lockheed Martin sends out critical software patches via ALIS, as well.

message-editor%2F1534871760382-f-35-ita.jpg
An Italian F-35B Joint Strike Fighter., USN

But it also handle mission data packages. When the jets return to base, personnel on the ground extract that and other additional information that the aircraft’s sensors may have recorded. during the sortie for debriefing and other analysis. This could include a host of national security secrets, including records of the plane’s flight path and mission profile, communications data, video imagery, electronic signatures and locations of friendly and opposing radars and other emitters, and potential details about a country’s tactics, techniques, and procedures.

There has been a separate concern that once any information ended up on Lockheed Martin’s servers, that it could be vulnerable to a cyber attack, either directly against the company or against one of many subcontractors scattered across 45 states and Puerto Rico. Testing in 2017 revealed that known vulnerabilities in F-35 related networks had gone unaddressed, according to the most recent routine review of the program from the Pentagon’s Office of the Director of Operational Test and Evaluation.

I have laid out the worst case scenario for a breach of ALIS in the past:

“The nightmare scenario would involve an opponent causing a disruption during an actual crisis by either actively feeding bad information into the ALIS system or otherwise disabling some portion of it or its overarching architecture. The interconnected nature of the arrangement might allow a localized breach to infect larger segments of the F-35 fleet both in the United States or abroad or vice versa. It’s not hard to imagine the time and energy needed to sort out real inputs and outputs from fake ones hampering or halting operations entirely under the right circumstances. 

Given the jet’s low-observable characteristics, advanced defensive systems, and other sensors, a cyber attack would be an attractive option for any enemy force. Why would an enemy use a $500,000 air-to-air or surface-to-air missiles and put their personnel and equipment at risk in an attempt to down an F-35 when a simple worm may be able to do the same to a whole fleet of F-35s? It could also do so with plausible deniability, something kinetic weapons are far less adept to.”

message-editor%2F1534871814023-alis.jpg
A member of the US Air Force uses a laptop to access the ALIS components on one of the service’s F-35A jets., USAF

So, not surprisingly, the foreign members of the F-35 program are wary of exactly what ALIS might be grabbing and sending back not only to the U.S. government, but to a private company, and then possibly putting at even greater risk of compromise. Even allies don’t typically share all of their secrets and they usually exchange any sensitive information in a way where they can sanitize it to protect their own sources and methods.

“Italy, in [this] specific case, wants to preserve its sovereignty on some information, avoiding any unnecessary disclosure,” an unidentified member of the Italian Air Force told FlightGlobal at the Dubai Air Show in 2017. “In order to do so, like other partners do, Italy took some actions to grant an effective use of the weapon system, without disclosing some data that are deemed sensible.”

At that time, Italy and Norway had already established a shared software laboratory at the U.S. Air Force’s Eglin Air Force Base in Florida to develop an interim firewall. The SDM, which includes various outside “studies and recommendations,” looks to be the culmination of that effort and others. The Royal Australian Air Force has been pursuing its own separate plans, as well.

However, there’s still a question of how much autonomy the additional data transfer system will give F-35 operators. Though Lockheed Martin had reportedly approved countries putting their own initial systems into place and is now designing these new tools, the firm has also been highly protective of ALIS’ code and other associated F-35 systems. As of October 2017, the U.S. military was still locked in deliberations with the company over what information would and wouldn’t be in the jet’s official operator’s manual.

message-editor%2F1534871661236-f-35-aus.jpg
An Australian F-35A., USAF

So far, only Israel has been able to secure the rights to operate its F-35I Adirs completely independently of ALIS if necessary and to add its own software on top of the system. Other Joint Strike Fighter users will remain dependent on the system even with the SDM.

The F-35’s interconnectedness already gives the U.S. government or Lockheed Martin an unprecedented level of export control. ALIS offers a way to cut off the distribution of software updates and important mission data to foreign operators, as well as possibly serve as an entryway for an offensive cyber attack to completely disable certain jets. Since ALIS identifies maintenance issues and helps order spare parts, it could make maintaining the already complex jets difficult, if not impossible. These are all things we at The War Zone discussed at length in the past here

The most obvious example of how the U.S. government might seek to use this capability is in its present diplomatic spat with Turkey, which includes a dispute over the latter country’s purchase of Russian S-400 surface to air missile systems. The U.S. military, as well as other F-35 operators, particularly other NATO members, are concerned that this could expose secrets about the Joint Strike Fighter’s capabilities to the Russians.

In the U.S. defense spending bill for the 2019 Fiscal Year, which President Donald Trump made law earlier in August 2018, Congress demanded a halt to any cooperation with the Turkish government on the F-35, among other weapon systems, until the Pentagon submits a report that includes “an assessment of the operational and counterintelligence risks … and the steps required to mitigate those risks.” 

message-editor%2F1534871509042-f-35-tur.jpg
The first F-35A for Turkey during a rollout ceremony in June 2018., Lockheed Martin

One step could be to use ALIS to limit or block Turkey’s access to Joint Strike Fighter software patches or other data. Of course, Turkey would still need some baseline software to operate the aircraft at all, which Russian technicians could seek to acquire access to, and there might just be opportunities to see how capable the S-400’s radars are or aren’t at spotting and tracking the stealthy jets. 

Another option might be to use ALIS as a sort of counterintelligence tool to more tightly monitor Turkish activities with the jets, such as when, where, and how they’re flying them, for potential threats. The Pentagon, which remains publicly supportive of continued cooperation with its Turkish counterparts, will likely present legislators with a variety of step to try to safeguard sensitive details about the F-35s.

These same issues could crop up if the U.S. government decides to allow additional countries to join the Joint Strike Fighter program. The United Arab Emirates, Saudi Arabia, and India have all expressed interest in the jets in the past and the latter two countries are buying S-400s, as well.

There have also been separate concerns that allowing the UAE and Saudi Arabia to buy F-35s could threaten Israel’s qualitative military edge in the region, despite warming ties between the three countries. ALIS could give the U.S. government enhanced safeguards to curtail Emirati or Saudi Joint Strike Fighter operations should the geopolitical situation change.

message-editor%2F1534897396379-f-35.jpg
A US Air Force F-35A., USAF

So, with or without the SDM, this arrangement continues to present a potential national security concern for any of the foreign F-35 operators. Now that they have secured the new data transfer rights from Lockheed Martin, operators might pursue greater leeway being able to use their jets independent of ALIS. 

This might just involve developing a mechanism to allow countries to temporarily work around the cloud-based network locally to continue conducting operations in the event of a broad cyber attack or another catastrophic fault in the system or protracted loss of connectivity, all of which could be serious threats during a major conflict. Lockheed Martin could set a time or flight hour limit on how long a country would be able to operate free of ALIS before needing to reconnect or seek some sort of extension from the company.

Lockheed Martin has been steadfastly opposed to any plan that might de-link ALIS from the Joint Strike Fighter, which could allow F-35 operators to hire other defense contractors to provide various services during the type’s lifecycle. Still, the new data transfer deal shows that it is willing to make some compromises and might be inclined to try and find further middle ground, especially if it decides to try and entice other countries to join the program.

All told, the SDM is an indication that the U.S. government and Lockheed Martin are aware of the need to address security concerns about ALIS among foreign partners in the F-35 program. But it’s also an indication that there may still be a lot of work left to do to meet the demands of all the parties involved in the project.

Contact the author: jtrevithickpr@gmail.com