The US Pentagon is unable to check in on key maintenance of the hugely expensive F-35 Joint Strike Fighter (JSF) thanks to information security failings with a Lockheed Martin database.
Engine and airframe maintenance data contained in the database is inaccessible because it is non-compliant with US Cyber Command's security requirements.
As a result personnel cannot access the database from government networks.
Department of Defence (DoD) operational test and evaluation boss Michael Gilmore wrote in an annual report that the non-compliance meant personnel have been unable to access the database for scheduled reviews via government networks.
Combat testing of the F-35 will therefore likely be delayed by a year or more.
Gilmore also found information security problems (PDF) across DoD infrastructure, noting that like previous audits critical holes were "consistently found" in exposed or poorly managed credentials, misconfigured and unpatched systems, and borked trust relationships
He says DoD is reluctant to give red teams full scope to act as opposing forces (OPFOR) during training for fear that it could affect kinetic training exercises.
That is a wrong conclusion, according to the auditor, who states DoD should expect attacks against all mission-critical systems.
Upcoming security audits.
Defence red teams act as fully capable OPFOR (opposing forces in war games) throughout the year. In the private sector they are deployed in only the most security-savvy organisations to fully stress-test their defences.
"In order to attain a high state of mission readiness, CCMDs (Combatant Commands) and supporting defenders should conduct realistic tests and training that include cyber attacks and effects representative of those that advanced nation states would execute," Gilmore writes.
DoD blue team defenders have been consistently unlikely to detect red teams, an imbalance that is mirrored in the private sector.
The report says the agency has lost members of its red team to the private sector at a time when real attacks are more likely, Gilmore added.
It recommends DoD expedites best practice, including reducing privileged users, increasing training, and to appoint an executive agent in charge of cyber operations.
The audit team provided DoD with tools to assess the suitability of its red teamers for its experimental Cyber Protection Team training, a mechanism that in tests "significantly" improved personnel's offensive capabilities.
That training effort conducted in May last year could result in a much more capable army of US hackers.
The audit office will provide complete results to DoD on the effectiveness of the new training scheme. ®