Murphy's Law: How Good Politics Makes Bad Network Security

Archives

December 1, 2012: The U.S. Navy and Air Force have created an automated supply system (ALIS, Autonomic Logistics Information System) for their new fleet of F-35 warplanes. This extensive use of computers and networks has already proven vulnerable to hacker attacks (during tests of such vulnerabilities) and the situation is worse than that because the aircraft manufacturer, in order to obtain maximum political support for the F-35, selected suppliers with an eye towards where they were, in addition to what they could do. The object of this (a common practice) was to have suppliers in as many of the 435 Congressional districts as possible, especially those held by a politician providing crucial support in keeping the F-35 project funded. This means that there are more suppliers than are actually needed and that security in any networked supply system is only as strong as that of the weakest company connected to the network. As the government introduces more effective testing of network security on ALIS, this vulnerability has been revealed as a major weakness. Fixing it is difficult because so many suppliers are involved.

ALIS is more than just a convenient way to order spare parts and other F-35 maintenance supplies. It also contains analysis capabilities that predict the health of individual F-35s, based on what they have been doing. If an enemy can break into ALIS, they know what the F-35 fleet (of, eventually, several thousand aircraft) has been doing and what is being planned. Building, maintaining, and now making ALIS more resistant to attack is itself a multi-billion dollar project all by itself. Failure to protect ALIS puts all F-35s at risk. It’s a new vulnerability, the dark side of the many benefits coming from the use of networks and new analytics capabilities.