Hacking the secrets of Australia’s Joint Strike Fighter

Design details of Australia’s new F-35 Joint Strike Fighter (JSF) have been stolen by Chinese spies, according to reports this week, although it’s not clear whether the information was highly classified or not.

But this isn’t the first time information on the JSF has been stolen –
it’s just one among a long history of security breaches over the
aircraft and its manufacturer Lockheed Martin.

In May 2013, the Washington Post reported
that information on more than two dozen weapon systems were compromised
by Chinese hackers, including ballistic missile defence systems, the
V-22 Osprey tilt-rotor transport and the US Navy’s new Littoral Combat
Ship.

The list also includes
aircraft which Australia does or will operate: the Black Hawk
helicopter, the P-8A Poseidon maritime patrol aircraft, the F/A-18
fighter, EA-18 Growler electronic warfare aircraft, the C-17 Globemaster
III heavy transport as well as the JSF.

This is vast range of stolen information and is not likely to be from
a single incident, but a culmination of hacks and other thefts over a
few years.

For example, in March 2011 the Pentagon admitted that 24,000 files were stolen from a US defence contractor. In May 2011, Reuters reported
that the security systems of JSF manufacturer Lockheed Martin and other
military contractors were broken into by hackers using duplicate
“SecurID” electronic keys, but it was not clear what, if any,
information was stolen.

Release going on for years

The JSF has been the subject of the theft or unintentional release of
confidential or classified information at various times over the past
two decades. In 1996, while Lockheed Martin, McDonnell Douglas and
Boeing were in the new fighter competition, the Pentagon’s JSF Program
Office inadvertently released Lockheed’s confidential cost and pricing
information to the other two competitors.

In May 2001,
much to concern of the US, a petty thief stole a laptop from a British
military officer in London. The laptop, which was eventually recovered
by the British Ministry of Defence, contained details of progress on the
development of the JSF.

In 2009, the Wall Street Journal reported that hackers had been breaking into the JSF project since 2007, and:

[…] appear to have been interested in data about the design of the plane, its performance statistics and its electronic systems.

The report continued:

The intruders compromised the system responsible for
diagnosing a plane’s maintenance problems during flight […] [the]
plane’s most vital systems – such as flight controls and sensors – are
physically isolated from the publicly accessible internet.

At the time, Lockheed and the US Department of Defense downplayed the seriousness of the report. A Lockheed official was reported to have said:

Representation of successful cyber attacks on the F-35 [JSF] program [are] incorrect.

This was amended with the statement:

To our knowledge there has never been any classified information breach [despite] attacks on our systems continually.

A Pentagon spokesperson said there was “no special concerns”. Similarly, the Australian Department of Defence was reported to have said that:

[…] it has spoken with US Defence officials and Lockheed
Martin about the alleged breach, but says extra sensitive data is not
kept on systems connected to the internet.

Investigating the thefts

In the prologue to his 2014 book @War: The Rise of the Military-Internet Complex, Shane Harris provides
details on the investigation into the security breaches. Harris said
that the hackers were operating for months before anyone had noticed.

The US Air Force worked out that the information wasn’t taken from a
military computer, and investigators began to look at the computer
systems of contractors. Harris writes that the US Air Force brought in
its own hacker to investigate but when he arrived at the Lockheed office
he was greeted not by officials overseeing the JSF construction, but by
the company’s lawyers.

The US air force top generals demanded that Lockheed and other
contractors cooperate with the investigation which eventually discovered
that Lockheed’s network had been “breached repeatedly”.

They couldn’t say precisely how many times, but they
judged the damage as severe, given the amount of information stolen and
the intruders’ unfettered access to the networks. In the entire
campaign, which also targeted other companies, the spies had made off
with several terabytes of information on the jet’s inner workings.

If events of the past year are any indication, electronic theft of
JSF information has been much more successful than the physical theft of
information. In January 2014, US citizen Mozaffar Khazaee was arrested after trying to send items to Iran including:

[…] numerous boxes of documents consisting of sensitive
technical manuals, specification sheets, and other proprietary material
for the F-35 [JSF].

The shipment included:

[…] thousands of pages of documents, including diagrams and blueprints of the high-tech fighter jet’s engine.

In July 2014,
the US Justice Department charged Su Bin, a Chinese citizen who was
living in Canada, with stealing sensitive information about Boeing’s
C-17 and Lockheed’s F-22 and F-35 JSF. Working with two co-conspirators
in China, Su was breaking into Boeing and Lockheed computers between
2009 and 2013.

In November 2014, Chinese national Yu Long was arrested while carrying:

[…] sensitive proprietary information on titanium used in a US Air Force program, most likely the F-35 Joint Strike Fighter.

Secret or sensitive information?

In the 2014 cases outlined above, it is important to note the term
“sensitive” as opposed to classified or secret. The information may be
commercially confidential, but not classified at a national security
level.

And so too, it is not clear from the reports this week if classified information has been stolen on the JSF. The slide
in question, published by the German newspaper Der Speigel, is marked
“Secret”, the whole presentation “Top Secret”, but the (U) for each
piece of information indicates “Unclassified”.

What is not known is the security classification of the information
stolen, as opposed to classification of the slide itself. Lockheed and
Pentagon officials who stated in 2009 that no “classified” information
was stolen may be technically correct, but it is still problematic.

In 2013, US Defence acquisitions chief Frank Kendall admitted to a Senate hearing that:

A lot of [unclassified information] is being stolen right now and it’s a major problem for us.

Kendall was not primarily concerned that the loss of information would make the JSF vulnerable to attack, but rather that it:

[…] reduces the costs and lead time of our adversaries to doing their own designs, so it gives away a substantial advantage.

What now for Australia’s JSF plan?

So what does all this mean for Australia’s commitment to the JSF? The federal government has committed to buying 72 of the F-35A version of the JSF at a total cost of A$12.4-billion, with the first to be operational by 2021.

For decades, a pillar of Australia’s defence policy has been
possessing a technological edge over other nations in the region. It’s
paid a significant premium to maintain that edge with the JSF but the
theft of information, even unclassified information, erodes the
technological edge in terms of quality and timeframes.

That being said, the JSF is much more than a weapons system. It is an
enabler of networked information warfare, and it is the information’s
technological edge which is critically important. Information warfare
is the process of protecting one’s own sources of battlefield
information and, at the same time, seeking to deny, degrade, corrupt, or
destroy the enemy’s sources of battlefield information.

It is not clear if the electronic and information warfare
capabilities of the JSF have been compromised. But China has
demonstrated its adeptness in cyberespionage, and it would be concerning
if this was indicative of China’s capabilities for electronic and
information warfare.

Apart from increasing security measures, the theft of data of the
past decade does not have significant short-term consequences for the US
or Australia. But the long-term consequences remain unknown, at least
until the capabilities of the JSF are fully developed, and we learn more
about the Chinese fighters under development.

This article originally appeared at The Conversation. To see the original version, click here.

Image: Flickr/Lockheed Martin