{"id":181832,"date":"2016-03-05T20:08:00","date_gmt":"2016-03-06T01:08:00","guid":{"rendered":"https:\/\/www.panix.com\/~msaroff\/40years\/2016\/03\/05\/another-strike-against-the-f-35\/"},"modified":"2016-03-05T20:08:00","modified_gmt":"2016-03-06T01:08:00","slug":"another-strike-against-the-f-35","status":"publish","type":"post","link":"https:\/\/www.panix.com\/~msaroff\/40years\/2016\/03\/05\/another-strike-against-the-f-35\/","title":{"rendered":"Another Strike Against the F-35"},"content":{"rendered":"<div>Rather unsurprisingly, it is the logistics and prognostics software, ALIS.<\/div>\n<p>It has not been working right in tests, and even when it does, it means that there is effectively an off switch for any foreign buyer&#8217;s aircraft located in the United States.<\/p>\n<p>Now we learn that <a href=\"http:\/\/aviationweek.com\/defense\/f-35-alis-may-be-vulnerable-cyberattack\">they are intending to go live with the system before testing its vulnerability to hackers<\/a>: (<i>Paid subscription required<\/i>)<\/p>\n<blockquote><p><span style=\"color: blue;\"> The <a href=\"http:\/\/awin.aviationweek.com\/ProgramProfileDetails.aspx?pgId=613&amp;pgName=Lockheed+Martin+F-35+JSF\">F-35<\/a>\u2019s Autonomic Logistics Information System (ALIS) will deploy its next major software release\u20142.0.2\u2014in July, but concerns remain about performance and security. A report by the Director of Operational Test and Evaluation (<a href=\"http:\/\/awin.aviationweek.com\/OrganizationProfiles.aspx?orgId=25380\">DOT<\/a>&amp;E) released in January suggests delayed ALIS software may push back U.S. Air Force initial operational capability (IOC) and that the network\u2019s cybersecurity has become a key concern. <\/p>\n<p><a href=\"http:\/\/awin.aviationweek.com\/OrganizationProfiles.aspx?orgId=27191\">Lockheed Martin<\/a>\u2019s ALIS program manager, Jeff Streznetcky, says a U.S. <a href=\"http:\/\/awin.aviationweek.com\/OrganizationProfiles.aspx?orgId=23395\">Marine Corps<\/a> exercise at Twentynine Palms, California, in December and an ongoing Air Force test program at Mountain Home, Idaho, offer more representative indications of ALIS\u2019s readiness than the report. <\/p>\n<p>\u201cBy all accounts, ALIS performed exceptionally well\u201d at Twentynine Palms, he says, \u201cand the reports I\u2019m getting out of Mountain Home are similar. ALIS is doing its job supporting the warfighter and ultimately turning jets.\u201d <\/p>\n<p>\u2026\u2026\u2026<\/p>\n<p>Leaked National Security Agency briefing documents confirm China obtained F-35 engine schematics and radar designs after compromising program systems in the mid-2000s. Less attention has been focused on the kind of information routinely moving through ALIS, which may represent the program\u2019s biggest threat surface.<\/p>\n<p>\u201cThe Chinese see ALIS as a fantastic opportunity to enhance and improve their own fighter-aircraft capabilities,\u201d says Bill Hagestad, a retired Marine Corps colonel and expert on Chinese cyber competencies. \u201cBut ALIS data would also be of considerable operational and strategic value to the Chinese if they were able to take a look at the disposition and laydown of deployed combat aircraft.\u201d <\/p>\n<p>According to a 2015 report by cybersecurity vendor FireEye, it takes 205 days on average for network breaches to be detected. Even if all data are encrypted, content could be inferred through analysis of network traffic patterns. Attackers can remain undetected longer if they are leveraging previously unknown vulnerabilities. <\/p>\n<p>ALIS\u2019s security is not just dependent on Lockheed\u2019s own software and network defenses deployed on the different national and corporate systems ALIS data transits. The system incorporates a number of off-the-shelf component programs to handle logistics management and other functions: This has cut development timescales and lowered costs, but any vulnerabilities in those products become ALIS vulnerabilities.<\/p>\n<p>\u2026\u2026\u2026<\/p>\n<p>A comprehensive, ongoing cybersecurity testing regime would appear to be a necessity. Yet the DOT&amp;E report states: \u201cThe program currently does not plan to conduct cybersecurity penetration testing during the development of this ALIS release [2.0.2], or any future developmental releases, but will instead rely on previous, albeit limited, cybersecurity test results.\u201d <\/p>\n<p>This has not gone over well with cybersecurity experts. \u201cSuggesting that this should be deployed before it\u2019s properly tested and then tested after it\u2019s deployed is backward security,\u201d says Adriel Desautels, founder of penetration-testing specialist Netragard. \u201cI don\u2019t have a word strong enough to describe the level of absurdity involved with that. You can\u2019t possibly deploy something that\u2019s this sensitive and just have blind faith that you won\u2019t get hacked.<\/span><\/p><\/blockquote>\n<p><a href=\"http:\/\/i.imgur.com\/gVCBeh0.jpg\" rel=\"lytebox\"><img decoding=\"async\" src=\"http:\/\/i.imgur.com\/gVCBeh0.jpg\" style=\"cursor: pointer; float: right; margin: 0px 0px 10px 10px;\" width=\"150\" \/><\/a>Of course, Lockheed-Martin and the Pentagon maintain that they will deal with any potential vulnerabilities as soon as they get a round to it.<\/p>\n<p>They want to get the aircraft into the field and have a large captive market before people realize that the aircraft is an unaffordable dog.<\/p>\n<p>Ship, then fix.<\/p>\n<p>As any computer gamer knows, there is a a whole world of grief that comes from this arrangement.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Rather unsurprisingly, it is the logistics and prognostics software, ALIS. It has not been working right in tests, and even when it does, it means that there is effectively an off switch for any foreign buyer&#8217;s aircraft located in the United States. Now we learn that they are intending to go live with the system &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1007,1060,987,1006,1025],"tags":[],"class_list":["post-181832","post","type-post","status-publish","format-standard","hentry","category-aviation","category-computer","category-fail","category-military","category-technology"],"_links":{"self":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/181832"}],"collection":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/comments?post=181832"}],"version-history":[{"count":0,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/181832\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/media?parent=181832"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/categories?post=181832"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/tags?post=181832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}