The Pentagon hasn’t had updated information on maintenance of the F-35 jet since May because a Lockheed Martin Corp. database doesn’t meet new government cybersecurity requirements, according to the Defense Department’s testing office.
“Because of this non-compliance government personnel have not been able to access the database via government networks,” and that’s preventing a Pentagon-Lockheed team “from holding the planned reviews of maintenance records,” Michael Gilmore, the Defense Department’s testing chief, said in an assessment of the F-35, the costliest U.S. weapons program.
The shortfall in Lockheed’s database for engine and air- frame maintenance under security requirements imposed in August by U.S. Cyber Command is among computer security deficiencies outlined in Gilmore’s annual report on major weapons systems, posted Monday on his office’s website.
His office also found vulnerabilities for the Navy’s Littoral Combat Ship and significant, classified cybersecurity problems with an improved version of Lockheed’s towed sonar surveillance system for tracking submarines. “Cyber Red Teams” tested for the first time an air operations center from Northrop Grumman Corp. that the Air Force uses worldwide to plan and execute combat missions, finding 11 vulnerabilities, nine of which could pose significant risks to missions.
On the F-35, the Pentagon office in charge of the program “is investigating workarounds” to allow for reviews and access to the maintenance records until Lockheed can bring the database, known as the Failure Reporting and Corrective Action System, into compliance, according to the report. Lockheed spokesman Michael Rein didn’t have an immediate comment.
In addition to the cybersecurity issue, Gilmore said tests of how the F-35 will perform in combat won’t begin until at least August 2018, a year later than planned, meaning that more than 500 of the jets may be built before the assessment is complete.
While the Pentagon and military services made progress last year testing for and detecting cyber intrusions, “operational missions and systems remain vulnerable to cyber-attack,” according to the report.
Among improvements cited were a greater recognition among senior defense and military leaders of the threat of attacks and the value of redundant defenses as well as a hardening of networks that made it more difficult for hacking teams to penetrate during exercises.
In some networks, vulnerabilities were “mitigated by timely upgrades and software patches,” while more isolated systems had “much less success” stopping intrusions, Gilmore said. That underscored the importance of “a defense in depth,” he said.
Cyber Red Teams, which test whether systems can be hacked, often came close to causing significant damage but were restrained by test commanders from executing their most aggressive cyber tactics, according to the report.
Gilmore’s report also warned that the Defense Department must act to avert an imminent personnel shortage. The Pentagon and its regional military commands face a brain drain of certified Red Team forces even as demand has more than doubled since 2013 for their services.
U.S. Cyber Command competes for the hacking experts with teams used by the military services and private industry is hiring away Red Team members, Gilmore wrote.