24 million lines of code to secure? I’m not sure we can do that, Dave.

fighterThe new F-35 Fighter Jet is an impressive war machine. The Lockheed Martin aircraft has a 1,200 mph top speed and a range of almost 1,400 miles. It is the result of a $400 billion program that makes it the most expensive weapons system in history. It is not only an impressive piece of aeronautical engineering. It is also a phenomenally sophisticated software lab, with an integrated control system that uses complicated algorithms to help it carry out its mission no matter what adversity it encounters. The computer system includes a carry-on laptop-like device that stores the details of the mission and communicates over a dedicated network with ALIS, or Autonomic Logistics Information System. According to the Lockheed Martin website, “ALIS provides the IT backbone and capabilities to support current and future Warfighters across the U.S. services and the world.” ALIS communicates with the plane as it flies, monitoring its health and scanning for potential problems related to logistics, health, and maintenance. Between the mission-specific on-board laptop and the ALIS backbone, 24 million lines of code keep the plane in the air and on its mission.

That’s a lot of code, not to mention a lot of opportunities for bugs and security flaws. A conservative estimate of the number of software bugs is one per every thousand  lines of code. Even if the software powering the F-35 has a bug rate of one-tenth that figure, we can expect 2,400 bugs in its software. Some of those bugs are likely to be exploitable by software hackers. Can there be any more enticing a target for state-sponsored hackers than a US fighter jet?

And here’s an even more sobering shocker: the human pilot cannot override the wishes of the computer captain. ALIS has final say regardless of what the pilot wants to do. This isn’t Star Wars; this is HAL from 2001 Space Odyssey. They’ve seen that movie, right?

A 60 Minutes segment on the F-35 and its potential software Achilles heel doesn’t exactly give one the warm-and-fuzzies. The commander seems like he’s trying unsuccessfully to convince himself that the system won’t be hackable. Unfortunately, the statistics don’t support even his tentative optimism. Complexity is the enemy of security and reliability. Take the human out of the loop, and you’ve relinquished all control to the complexity you should be avoiding. This simply does not compute.



About Ray Klump

Associate Dean, College of Aviation, Science, and Technology at Lewis University Director, Master of Science in Information Security Lewis University http://online.lewisu.edu/ms-information-security.asp, http://online.lewisu.edu/resource/engineering-technology/articles.asp, http://cs.lewisu.edu. You can find him on Google+.

Leave a Reply

Your email address will not be published. Required fields are marked *