Posted on April 21, 2009 - by Venik

Open-Sourcing JSF

The Wall Street Journal reports that Chinese hackers broke into the Department of Defense computer systems and stole several terabytes of information related to the $300-billion Joint Strike Fighter project. Let’s imagine that three terabytes (this would be the minimum to qualify as “several”) of data were transferred over a 10-mbps connection. This is a reasonable assumption, considering that hackers were connecting all the way from China and most definitely were using many creative methods for obfuscating their network routes.

It would have taken them approximately 29 days to transfer 3 terabytes of information. Imagine how screwed up the security system would have had to be to allow someone to rob a bank every day, non-stop for a whole month. But if your speak to someone working in the computer security field at a large company or a government institution, you will quickly realize that incidents like this are not rare. They just rarely make the headlines. Back in the good old days a system administrator knew every user and every directory on the server. These days most sysadmins would be hard pressed to just put together a list of all the systems they support.

IT guys are overworked and underpaid. They work under a constant threat of outsourcing. Every day new computer technologies come out, but most IT support departments have a zero budget for training. To save a buck, IT managers use H-1B visa programs to hire cheap, underqualified substitutes who can barely speak English. Many of these “IT professionals” know less about computers than the managers hiring them. It is hardly surprising, therefore, that America’s most sensitive computer systems look more like shopping malls. On the bright side, should a JSF have to make an emergency landing in China, a local aircraft mechanic will probably be able to fix it.

What kind of information related to the JSF-project could have been stolen by the hackers? Since they got into the systems operated by the DoD and not into, say, Lockheed-Martin servers, it is unlikely they got their hands on the actual Catia models, aerodynamics or stress analysis. The stolen data likely consists of various technical documentation: service and maintenance manuals, flight test data, contracts, schedules and procurement information. This sort of information is shared between the DoD and the primary contractor on a project. Such information would include all the latest testing data, documented problems and solutions, detailed field maintenance manuals, lists of manufacturers and suppliers of spare parts, etc. This is no small prize.

A logical question may be: why do we need to have all this information accessible from the Internet? This is how it works: they test an aircraft at some base, collect the data, VPN into the manufacturer’s network, edit documentation online, this documentation is then synchronized with the DoD computers. It’s a matter of convenience and a way to bring down costs. As is always the case with computers, more convenient means less secure. Striking the balance between the two is a tough job. Short-term budgetary considerations usually prevail. And, since convenience often means lower costs, it beats security almost every time.

Popularity: 2% [?]

Join the forum discussion on this post - (1) Posts

Related posts:

1. AeroFacts: Aerospace Database
2. Shanghai group summit to open in Urals on Monday
3. Response: Russia has changed. It is now open about the Stalin era
4. Justice with its eyes open | Andrei Richter
5. ExxonMobil-Rosneft oil deal unlikely to open the taps of transparency