F-35 project hacking case highlights need for tighter contractor security

Published 22 April 2009

Hackers managed to download terabytes of information about one of the Pentagon’s most prized weapons systems; experts say this latest breach highlights the need for stricter security requirements for contractor networks

A breach of computer networks that contractors use to support a major weapons program provides only highlights why government should enforce stricter cybersecurity requirements for companies that do business with federal agencies, said former security professionals. The Wall Street Journal reported that hackers downloaded data about the Joint Strike Fighter, a multibillion-dollar high-tech fighter jet, known as the F-35, the Defense Department is building, by exploiting vulnerabilities in the computer networks that contractors use to design and build the aircraft’s weapon systems. The potential impact of the breach is unknown, but the most sensitive material was stored on computers not connected to the Internet and could not be accessed, WSJ reported.

This shows how interconnected our government and industry systems are,” Gregory Garcia, who served as assistant secretary of cybersecurity and telecommunications at DHS during the Bush administration and now runs the information security consulting firm Garcia Strategies, told NextGov’s Jill R. Aitoro. “DHS and DoD have been trying to get contractors and other major companies to find common standards of practice to protect networks from these sophisticated breaches. There needs to be a new-order requirement on companies doing business with the federal government.” Government should develop similar standards for securing the global supply chain from malicious software and hardware implants that send stolen information to cyber spies who have access to federal networks, he said.

The breach also underscores the need to manage outsourcing IT functions in the Defense Department. “The outsourcing of many critical information functions within the DoD creates an aquatic environment, which allows for adversaries to transit into once segregated systems,” said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team.

He said Titan Rain, the government name for a series of coordinated attacks on computer systems in the United States that started in 2003, was an example of such an attack. Hackers gained access to computer networks at Lockheed Martin Corp., Sandia National Laboratories and NASA, among others.

These incidents are becoming more prevalent,” Kellermann said. “The Cold War is back, but this time it is digital.”

Aitoro writes that Defense does not comment on alleged or actual cyber infiltrations, potential impacts to operations, or possible investigations for security reasons, Air Force Lt. Col. Eric Butterbaugh, a Pentagon spokesman, said in a prepared statement. “DoD systems are probed daily,” he said.

We aggressively monitor our networks for intrusions and have appropriate procedures to address these threats,” Butterbaugh added.

Lockheed Martin, the lead contractor for the Joint Strike Fighter program, questioned the report. “While we don’t usually comment on security matters, we believe the article in the Wall Street Journal was incorrect in its representation of successful cyberattacks on the F-35 program,” said Cheryl Amerine, a spokeswoman for Lockheed. “To our knowledge, there has never been any classified information breech. Like the government, we have attacks on our systems continually and have stringent measures in place to detect and stop attacks.”

Security researchers said Defense could improve monitoring of networks. Alan Paller, director of research at the SANS Institute, said while it’s impossible to stop all cyberattacks, federal agencies, including Defense, could do a better job at real-time, continuous monitoring of network activities.

Kellermann said Defense should conduct more so-called red teaming exercises, which simulate cyberattacks, and more penetration tests aimed at not only Defense systems but also contractors’ networks, which hackers often attack to infiltrate sensitive networks.

The question to ask is whether anyone is actually watching,” said a former intelligence official who asked to remain anonymous. “If no alarms are triggered, will anyone see the anomalous behaviors? Somebody needs to be mindful of what’s happening at all times.”

The source said the infiltration into systems for the F-35 is no different than the recent penetration of computer systems that support the nation’s electric grid.

These are all Web-based attacks, where people posted seemingly unclassified but sensitive information,” he said. “The answer is to not put this information on Web sites. There’s simply no way to protect every avenue of approach that a sophisticated adversary may take to get at data.”