China compromised F-35 subcontractor and forced expensive software system rewrite, academic tells MPs

CSIS policy wonk describes supply chain attack to Parliament


The F-35 fighter jet programme’s costs were inflated after China compromised a software vendor in Lockheed Martin’s supply chain, forcing a ground-up rewrite of a potentially affected system, a policy wonk has claimed to UK Parliament.

While giving evidence to a Defence Committee hearing on cyber threats to the British military, American academic Dr James Lewis claimed China had compromised a subcontractor working on the supersonic stealth jet project and potentially infected software destined for installation aboard the jet.

Asking for clarification on Lewis’ point, committee chairman Tobias Ellwood MP asked him: “Can you just elaborate on that and where that went to, was it stopped or something that we are having to live with?”

James, a senior veep with the US Centre for Strategic and International Studies (CSIS) think tank, replied: “Lockheed Martin itself did a great job of protecting its systems but as we’ve heard from the earlier discussion, as you go down the level of contracting, not everyone is not perhaps as secure as you might want. So that’s the allegation; going through a subcontractor, the Chinese were able to gain access.”

He continued: “What they were able to do we do not know, the vulnerability was closed and the software was largely re-written to ensure it did not contain unwanted surprises.”

Earlier he had referred to the incident as a "rumour" partially explaining "why the F-35 is so expensive."

It appears from James’ brief description that this is a different incident from one reported by the US Wall Street Journal in 2017, when “computer spies” were said to have compromised US Air Force networks to steal F-35 data, including “several terabytes of data related to design and electronics systems.”

Ellwood, a Conservative MP and former British Army captain, replied to James: “OK, that’s the assurance we wanted given that we’re purchasing these aeroplanes, [that] it’s no longer a concern.”

Earlier this year the US Department of Operational Test and Evaluation (DOTE), effectively a watchdog, published a report criticising F-35 software development practices. In particular DOTE declared that using Agile methodology was “high risk”, highlighting that using minimum viable product (MVP) release methods for critical items such as flight controls and weapons was an inappropriate model to follow.

The UK has some say in how Lockheed builds the F-35; its contributions include the lift fan for the short takeoff B model fielded by the RAF, Royal Navy and US Marines. That contribution alone is worth about 10-12 per cent of the list price for each B-model airframe.

Lockheed Martin has been asked for comment.

Lewis’ fellow witness, Dr Beyza Unal, added in a later part of the session referring to cybersecurity and offensive online moves: “I think Russia is really taking the bet on this… they have done a lot of testing in Georgia, Ukraine and Syria, what type of cyber operations they do and take during crisis and conflict. In Western countries we do not test these things in real time.”

This chimes with warnings from former NCSC chief Ciaran Martin that policymakers should avoid seeing the internet as the 21st century’s new battlefield. ®


Biting the hand that feeds IT © 1998–2020