Laird said it made sense for Lockheed, as the jet manufacturer, to continue running ALIS since maintenance data could improve production and increase parts reliability. “To treat this as if it were a classic sustainment program is to miss the whole point,” he said.
NAVY’S SURPRISE ATTACK
Lockheed runs ALIS from a large, darkened control room in Fort Worth, Texas. ALIS gives pilots access to their mission plans, but they don’t need the system to fly the radar-evading F-35, which will replace nearly a dozen different warplanes now in service worldwide. However the system allows the military to track, diagnose and predict the health of planes in the fleet, not unlike modern “smart cars” that prompt drivers to check tire pressure or change the oil.
Lockheed says ALIS will revolutionize the way military airplanes are serviced and maintained, saving billions of dollars over the life of the program.
But increased sophistication brings greater security risk. Lockheed said it uses in-house “hackers” to test vulnerabilities in its networks and notifies suppliers if it finds any.
Still, the company was not aware of the Navy’s stealthy penetration of the system while it was happening. Tom Burbage, Lockheed’s general manager for the F-35 program, acknowledged that the Navy’s cyber-expert “red team” took Lockheed by surprise.
“It was meant to be a covert surprise, and it was,” he told Reuters. “It’s classified. It was need-to-know. We didn’t know any of the details until we eventually got people who were cleared who got the details.”
The problem the Navy exploited, according to several people familiar with the program, centered on the fact that ALIS includes both classified and unclassified data streams, and the two were not properly separated to prevent intrusions.
Burbage said Lockheed developed a “fairly straightforward fix” that did not require major adjustments to the ALIS system, which is now at about 94 percent of its final capability. He said the Pentagon’s initial ALIS specifications did not require separating classified and unclassified data, since cyber threats were less prevalent in 2001 when the F-35 program began.