Yesterday, at a subcommittee hearing attended by just half a dozen Senators, the Pentagon’s top weapons buyer made a blunt admission: The military’s most expensive program, the stealthy F-35 Joint Strike Fighter, has been hacked and the stolen data used by America’s adversaries. Under Secretary Frank Kendall didn’t say by whom, but the answer is almost certainly China, a cyber superpower whose People’s Liberation Army Air Force has recently rolled out some suspiciously sophisticated stealth fighter prototypes of its own. The Russians also have skilled hackers and “5th Generation” stealth jet programs, but they’re not suspected of such direct copying, at least not yet.
“I’m confident the classified material is well protected, but I’m not at all confident that our unclassified information is as well-protected,” said Kendall, the Under Secretary for Acquisition, Technology, and Logistics. “It’s a major problem for us…. What it does is reduce the costs and lead time of our adversaries to doing their own designs, so it gives away a substantial advantage.”
The bad news isn’t new news: That someone had hacked F-35 subcontractor BAE Systems was first reported six years ago, and just this February Washington Post reporter Ellen Nakashima obtained leaked information naming the Chinese as having compromised not just the F-35 but two dozen other weapons program. Administration officials have been publicly pressuring China to rein in its hacking. But it’s still remarkable that such a senior official would so bluntly admit that US interests have been so directly harmed.
So what does this mean for a future conflict? The nightmare — raised by a recent Defense Science Board report — is what you might call the Battlestar Galactica scenario: Our fighters close in on the enemy, the bad guys push a button, and all our systems shut down, crippled by cyber-attacks via “back doors” previous hacks created in the security software. In this case, thankfully, that seems unlikely. Kendall made clear that classified data has remained secure (so far, we think): It’s unclassified data in contractors’ computers that has been stolen, not the military’s secret codes.
Nor do we have a Death Star scenario, where the enemy has stolen the “secret plans” that show them how to blow up our weapons with a single well-placed shot. (Note that in this scenario Luke Skywalker is Chinese. Certainly many Chinese see themselves as the plucky farmboys, trained in mystic martial arts, up against a technologically superior empire). No one has stolen the complete blueprints to the F-35, which are in fact servers full of digital design data you could never fit into a single blue-and-white droid.
That said, the information that China and maybe Russia have stolen will make it easier to design counter-measures to our weapons, improving their chances to hack, jam, or just plain shoot down American aircraft. Even if we don’t expect to fight the Chinese or the Russians — we certainly hope we won’t, not least because they have nuclear weapons — they have a nasty habit of selling advanced weapons to people we are likely to fight, like Iran.
And in some ways what they’ve stolen is worse than stealing “secret plans”: They’ve stolen data on how US and allied arms manufacturers make advanced weapons systems. So instead of having to just copy our stuff, they have a leg up on learning how to design equivalent systems on their own.
This industrial espionage problem goes far beyond armsmakers. Indeed, the value of what’s been stolen from the defense industry is just a tiny fraction of the intellectual property stolen from commercial business in what the man who heads both National Security Agency and US Cyber Command, Gen. Keith Alexander, has called “the greatest transfer of wealth in history.”
In the commercial sector, however, at least the Chinese have to break into a lot of different baskets before they steal all our eggs: There are countless companies, each with its own innovations and jealously (if not effectively) guarded intellectual property. Not so in the defense sector. As defense budgets have shrunk since the end of the Cold War while defense programs became ever more bank-breakingly expensive, the industry responded by merging many competing companies into a handful, and the Pentagon responded by cancelling or consolidating competing programs.
The great example of this all-eggs-in-one-basket approach was the F-35. Of the three companies that originally competed for the Joint Strike Fighter program, one, McDonnell Douglas, went out of business after it lost, while the other losing bidder, Boeing, has basically stopped working on new fighters. (Boeing, of course, remains a big player in both commercial airliners and military transports, and it still builds many fighter of older designs). The very name of the Joint Srike Fighter refers to how it consolidated separate Air Force, Navy, and Marine Corps development programs into a single “joint” mega-project.
Building one plane to meet the needs of three armed services turned out to be much harder than the Pentagon had hoped. In the past, by contrast, each service largely developed its own equipment and, while often inefficient, it was at least possible for a service whose programs were struggling or inferior to (grudgingly) buy a better weapon originally built for another, as when the Air Force bought the Navy F-4 Phantom fighter for Vietnam.
But having gotten rid of all the alternatives in the name of efficiency and cost savings, we have no choice but stick with the F-35, despite its inefficiencies and cost overruns — what Under Secretary Kendall has called “acquisition malpractice” — if we want to stay in the stealth fighter business. And with all our eggs in one basket, an enemy who hacks into a single weapons program will have dangerous insights into the majority of our future fighter fleet.