An unknown cyber criminal (or group of them) has broken into computer systems housing information about the U.S. Defense Department’s $300 billion Joint Strike Fighter project, the Wall Street Journal reports today, citing a number of “current and former government officials familiar with the attacks.”
It’s unclear how much damage the attacks have caused to the jet-fighter project, given that the cyber intruders were able to download “sizable amounts of data” related to the aircraft’s (also called the F-35 Lightning II) in-flight maintenance diagnostics but weren’t able to access the most sensitive information, related to flight controls and sensors (which is stored on computers not hooked up to the Internet), according to the Journal. The Air Force is currently testing prototypes of the aircraft, said to be the most expensive ever commissioned by the Pentagon.
The attackers allegedly access the Joint Strike Fighter information by exploiting vulnerabilities in the networks of two or three contractors helping to build the high-tech fighter jet, the Journal reports, citing “people who have been briefed on the matter.” Although none of the contractors have commented publicly on the computer compromise, Lockheed Martin is the lead contractor on the program, while Northrop Grumman Corp. and BAE Systems PLC are also playing important roles in its development. “Computer systems involved with the program appear to have been infiltrated at least as far back as 2007,” according to the Journal, which cites unnamed sources who state that the intruders appear to have been interested in data about the design of the plane, its performance statistics and its electronic systems. The guilty party loaded software onto the Pentagon’s computers that encrypts the data as it’s being stolen, which means investigators don’t know exactly what data has been taken.
This latest alleged cyber intrusion comes less than two weeks after the Journal reported that spies from China, Russia and other countries have hacked into the U.S. electricity grid and installed software that could cause mass outages, a story that has been criticized by some computer experts as hype perpetuated by government officials looking for more funding.
It’s unlikely that U.S. investigators will be able to ascertain the identities of those behind the attack, unless they can get the cooperation of China and any other countries that might be involved, says Dorothy Denning, a professor of defense analysis at the Naval Postgraduate School in Monterey, Calif. Of course, it’s also possible that computers in China were hacked into in order to make it look like China is to blame, she adds.
State-sponsored spies aren’t the only ones who’ve successfully hacked into U.S. government computers though. Scottish computer hacker Gary McKinnon, 42, has for years been fighting extradition to the U.S. for in 2001 and 2002 allegedly breaking into networks owned by NASA, the US Army, Navy, Department of Defense, and the Air Force, causing about $800,000 in damage and ruining 300 computers. McKinnon, who suffers from Asperger’s Syndrome and could face life in prison in the U.S. if convicted, says that he hacked into U.S. government systems that had no password or firewall protection to search for information on “UFOs, free energy and anti-gravity technology,” Sky News reports.
There’s no silver bullet for protecting sensitive information, Denning says. Encrypting data might help, she adds, but an “adversary may be able to fool the system into decrypting the data or plant malicious code on the system that captures keys.”
Government computer security is a big problem, but some agencies do better than others, according to Denning, who points to the annual FISMA report (mandated by the Federal Information Security Management Act of 2002). The 2007 report gave five federal agencies (the Social Security Administration, Justice Department, Environmental Protection Agency, Agency for International Development, and National Science Foundation) an “A+” for their security efforts, but the average score was a “C” (and the Defense Department received a “D-“).
Image of an F-35 Lightning II Joint Strike Fighter taking off from a Lockheed Martin facility in Fort Worth, Texas, © U.S. Air Force