Last March the US Inspector General of the Department of Defence issued a report on the Security Controls in the Joint Strike Fighter programme that raised concerns on information security. In this report it highlighted specific concerns about the lack of visibility of records from BAE Systems and therefore information may have been compromised. Is the F35 hacked?

It is somewhat of a leap to say that just because you can’t see the records that security may have been breached

Protests from BAE followed resulting in the withdrawal of the report in October 2008, the withdrawal note stating “we determined that we did not have sufficient evidence to support the report conclusion”

The Wall Street Journal reports today however, that significant amount of data has been obtained by Chinese hackers, several terabytes in fact, related to design and electronics.

Oh dear, that can’t be good.

Cue rebuttals, denials and press statements galore from officials, former officials and all manner of interested stakeholders some playing down the issue, stating that the data was low level and the ‘good stuff’ is held on systems not connected to the internet whilst others worrying that the world is about to end because of it.

No doubt stable doors are firmly being shut as we speak but what value is the data and whodunnit?

There is no doubt that Chinese hacking is on the increase and much of it directed by the Peoples Liberation Army (despite strenuous denials) and the US is not alone in feeling the heat, a breach reportedly occurring in Turkey.

In September 2007 the Guardian reported on how Chinese hackers had attacked Whitehall computer networks, successfully in some cases. Responsibility for advising government departments on how to protect their networks rests with MI5, GCHQ, and the Centre for the Protection of the National Infrastructure in the Cabinet Office.

The several recent and highly embarrassing data breaches from the UK government and its agencies (although most of them caused by bungling) has resulted in a much greater focus on information security and the newly released Government Security Policy Framework will likely go a long way to tightening up security across the public sector although as can be imagined the MoD uses a much higher standard than a lesser department.

Whilst the data obtained from the JSF programme might be not as valuable as that held on private networks not connected to the Internet it still has value, it can be used to validate other information or form pieces of a wider jigsaw. Whichever way you look at it, it is a bad thing.

Over at the Worldwide War Pigs blog the author makes the excellent point that the JSF programme is one of the largest collaborative industrial programmes ever with a myriad of sites, managed by main contractors, sub contractors and suppliers in at least 9 countries. All of these will have networks connected to the Internet.

How is it possible to maintain information security in the light of sophisticated, evolving and persistent threats in the context of a widely distributed network?

WITH A GREAT DEAL OF DIFFICULTY, THATS HOW

Each of these countries and suppliers will have different information security standards and capabilities. The only sensible strategy is that of a combination of perimeter and depth protection using equally sophisticated protection and detection systems, separation and vulnerability scanning. Its a complex game of cat and mouse, each playing their own game of 3D chess.

There must be lots of overtime available in the security functions at LM, BAE, MI5, DoD and the various other interested bodies around the world.

The real question is, looking forward, is the JSF/JCA going to be compromised by information security breaches as a result of the distributed nature of the programme.