Pentagon Fighter Jet Data Breach Was Avoidable

A report Tuesday by The Wall Street Journal said cyberspies cracked into the Joint Strike Fighter project, the Pentagon's costliest weapons program. The report indicated that the information targeted could help adversaries mount defenses against the radar-evading fighter jet, though the most sensitive information was not breached because it is stored on computers not attached to the Internet.

Following the report, a Pentagon official said he was not aware of any specific concern that the attacks compromised sensitive information or technology.

"I'm not aware of any specific concerns," Pentagon spokesman Bryan Whitman said, according to Reuters. Whitman added he was speaking generally and not talking about specific incidents.

While it was unclear on Tuesday exactly how the breach was carried out, The Wall Street Journal reported that intruders likely entered through vulnerabilities in the networks of the contractors involved in building the aircraft and that Pentagon insiders noted that Chinese networks are in some way involved in the cyberattack. Lockheed Martin is the project's lead contractor. Other contractors include Northrop Grumman and BAE Systems.

According to Aamir Lakhani, security solutions engineer with World Wide Technology, a St. Louis-based solution provider, the breach of the Joint Strike Fighter program, also known as the F-35 Lightning II project, could have been avoided.

"I think one of the ways this could have been prevented is by limiting what kind of information is stored on noncontrolled computers," he said. "Classified information should be stored on centralized computers. Taking advantage of cloud computing or centralized data themes could help prevent this information from leaking."

Lakhani said network security technologies could be set up to limit when and how data is accessed from the cloud and could be designed in a way that any computer accessing the information from the cloud is accessing it from a classified network over an encrypted VPN.

Lakhani added that the onus is on the Pentagon to better implement and enforce end-user desktop policies to further ensure the network is impervious to such attacks and data breaches. Network Access Control (NAC) technologies could ensure computers are abiding by corporate information security policies and quarantine or lock out users' machines if they are not up to snuff.

"Information security staff cannot rely on the good behavior of the user," he said. "It must be enforced automatically."

The U.S. has become increasingly concerned about potential cyberattacks. Earlier this year, U.N. Secretary-General Ban Ki-moon said cyberweapons will be added to the list of arms falling under the auspices of the U.N.'s Advisory Board on Disarmament Matters and said breaches of critical systems represent "a clear and present threat to international security."

Additionally, the Pentagon is developing the National Cyber Range program, part of the government's Comprehensive National Cybersecurity Initiative, which will enable the Pentagon to imitate and mimic the likely actions of cyber aggressors using the equipment hackers could use to inflict attacks.

Lakhani said the real problem is information leakage and that sensitive information stored on computers is getting out into the Internet. That can happen when policies that govern computer usage are not followed. Also, he said, such policies are difficult to enforce on laptops because they can be taken from classified networks and put on nonclassified networks with relative ease. Lakhani added that the data leak may not have been malicious, but the computer may have been moved to a nonclassified network for something as innocuous as viewing a YouTube video clip, which could open the machine to spyware and Trojans that infect a computer and transmit information over the Web.

"By default, many peer-to-peer file-sharing applications share out the entire hard drive," he said. "These laptops may be sharing classified information on P2P networks without the user ever knowing."

Overall, however, Lakhani said the security breach involving the Joint Strike Fighter project could have been thwarted with the right technology and end-user training on the importance of safeguarding information.

"The technology is out there to prevent these types of threats from happening," he said. "However, one of the biggest challenges for anyone in information security is making sure the end user is knowledgeable and understands the importance of protecting information. It really doesn't matter how good the locks on your house are if you are always going to keep the door open."