The Pentagon’s most expensive program, the F-35 Joint Strike Fighter, might prove to be as vulnerable to enemy hackers as inadequately armored Humvees were to roadside bombs, and could prove even more costly to remedy, warned former vice-chairman of the Joint Chiefs of Staff, Gen. James Cartwright, USMC (Ret.)
“We built the F-35 with absolutely no protection for it from a cyber standpoint,” he said, speaking at the annual Joint Warfighting Conference hosted by the US Naval Institute and the industry group AFCEA, according to a report on Breaking Defense, an affiliate of Breaking Gov.
Regarded in military circles as much for his technology prowess as he was for military strategy, Cartwright pointed disapprovingly at the military’s inability to move past a procurement process that stills focuses primarily on “platforms” — jets, ships, submarines, ground vehicles — and not on the information technology those platforms carry,” he told the audience.
Those platforms are mature ones, he said, with “marginal space for improvement,” he said, according to the Breaking Defense report, whereas rapid advances in information technology offer huge returns for investment because available computing power doubles every 24 months.
Moreover, there are huge additional costs when the U.S. discovers it has developed the wrong platforms and has to physically rebuild them. He cited examples such as frantic efforts to add more armor to Humvees and to buy Mine-Resistant Ambush-Protected (MRAP) vehicles, which takes years and billions of dollars, Cartwright said.
Cartwright proposed among other remedies that aircraft need a switch that shuts off all the electronic apertures through which they can potentially receive transmissions, or else electronically savvy enemies hack into them, he told the audience.
“As a guy who (spent) his life on the offensive side of cyber, every aperture out there is a target,” said the former U.S. Marine Corps general.
In other remarks, Cartwright also warned that the Pentagon is likely to face another $250 billion or more in cuts, even if sequestration does not occur, making platform and procurement reforms even more important. Read more about Cartwright’s comments on Breaking Defense.
Cartwright meanwhile reiterated his concerns about the vulnerability of aircraft software earlier in the week, while also urging the U.S. to project a more visible display of offensive cyber weapons as a necessary move to send a warning to cyber-minded adversaries.
You have to convince them that there is a price for any action that is counter to good order and discipline. That means you need an offensive capability.”
Speaking at The George Washington University Homeland Security Policy Institute, on May 14, Cartwright stressed the need to instill a genuine fear that there will be consequences for those that institute cyber attacks on the U.S.
“You have to convince them that there is a price for any action that is counter to good order and discipline. That means you need an offensive capability,” he said in remarks that are available in a video posted by the Institute.
Cartwright also noted that safeguards built into a fighter jet’s computer today will likely be outsmarted by attackers before the 30-year lifespan of the jet is over, which means that military aviation investments will require continuous and expensive protections.
Demonstrating his deep familiarity with the nature of cyber operations, Cartwright also explained how software patches, meant to protect computers, paradoxically provide hackers a more visible target to attack.
Breaking a code will “cost the offender almost nothing,” he said, while for “the defender, it costs a lot.” The “basic surface area is increased every time you patch your software.”