BERLIN – The U.S. Air Force is devoting fresh energy to plugging cybersecurity holes in the F-35's external support systems, as they are deemed the easiest entry points for hackers into the fifth-generation combat jet, according to a key service official.
“It’s a software-based aircraft, and any software-based platform is going to be susceptible to hacking,” Brig. Gen. Stephen Jost, director of the Air Force F-35 Integration Office, told Defense News in an interview at the International Fighter industry conference here.
The service considers the information backbone of the actual airplane – managed by manufacturer Lockheed Martin – relatively safe. That is thanks to what Jost called “multilayer security protections” ranging from secure authentication when crafting mission data packages for each aircraft before takeoff, to pilots punching in personal identification numbers to start up the plane.
The confidence wanes “as you get further from the air vehicle,” Jost said. When taking into account systems like the Autonomic Logistics Information System or the Joint Reprogramming Environment, there are “a lot of nodes of vulnerability that we’re trying to shore up,” he added.
The Autonomic Logistics Information System, or ALIS, is a key application meant to provide unprecedented automation in monitoring the status of the aircraft's components. The Joint Reprogramming Enterprise refers to government software labs compiling collections of updated threat characteristics – Russian tanks, for example – for upload into the aircraft so that its sensors can recognize targets.
Additionally, officials worry about cyber-hardening F-35 flight simulators, which could be attractive targets for hackers seeking information about the plane. The introduction of wireless applications for easier maintenance on the flight line also could pose new vulnerabilities that must be addressed, Jost said.
The Government Accountability Office published a report in October warning warned about cyber vulnerabilities in almost all of the Defense Department's weapons. The shortfalls exist because many systems were conceived at a time when cyber attacks were still in their infancy.
“In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic,” auditors wrote. “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.”
A key examination phase for the F-35 program, called initial operational test and evaluation, was set to begin to this week. The test plan, required for all major programs, typically includes a regimen of cyber probing.
Sebastian Sprenger is Europe editor for Defense News, reporting on the state of the defense market in the region, and on U.S.-Europe cooperation and multinational investments in defense and global security. He previously served as managing editor for Defense News.