Red teaming isn't easy

Wikimedia image: The U.S. Navy variant of the F-35 Joint Strike Fighter, the F-35C, conducts a test flight over the Chesapeake Bay. 

Cybersecurity testing of the software that serves as the brain of the F-35 Joint Strike fighter has caused headaches in the Pentagon. 

The IT that supports the armed force's new Joint Strike Fighter is a complex system that serves as an example of the widening cybersecurity blind spots that can confront agencies, according to one Defense Department expert.

While the Autonomic Logistics Information System (ALIS) provides a single information environment for the Joint Strike Fighter's operations, maintenance, prognostics, supply chain, customer support services, training and technical data, it was also designed without considering some critical cybersecurity aspects, said Dr. Michael Gilmore, director of operational test and evaluation in the Office of the Secretary of Defense.

Experts on an Oct. 20 cyber resiliency panel sponsored by the Consortium for IT Software Quality in Arlington, Va., pointed to the rapidly growing Internet of Things as a difficult obstacle to cover, especially for complex defense systems.

Standard cybersecurity testing that's taken for granted to protect commercial IoT systems, Gilmore said, are not easy to get implemented in the defense environment. Unlike the standard continuous "red team" testing many commercial companies do on their software and system cybersecurity systems, the JSF and ALIS hadn't been developed with that kind of immediate, hands-on cybersecurity process. For instance, he said, ALIS requires workstations to be distributed across the globe to support the aircraft's deployment.

"That means all kind of people worldwide will have access" to the system and the aircraft's systems, he said.

There are other issues as well, Gilmore said.

 "If ALIS goes down, there was no thought about how to restore it" during the development of the system, he said. Also, getting defense program management offices to accept "red teaming" of systems, he said, "has been a struggle."

"It took months to get [JSF's contractor] Lockheed to arrange red team tests for the aircraft," he said. To be truly secure, both ALIS and the aircraft itself need to get red team tests to they're vulnerable. The aircraft can't get in the air without ALIS, he said.

Although there are efforts to develop cybersecurity testing in the defense procurement process, those efforts have been stalled, said Gilmore.

Intensive, immediate testing for system vulnerability, according to Gilmore and other federal officials on the panel, isn't as common across the federal acquisition process as it should be.

Getting basic, specific cybersecurity language into federal contracts, said Gilmore, is a problem. Without it, he said, security is hard to pin down. Program management offices at vendors will say "'It's not fair to test that way because it's not in the contract specifications,'" he said.

"Until you get meaningful metrics in specifications, the rest is just nonsense," he said.

"There's not a lot of specificity" in the cybersecurity language in solicitations to industry, said Ray Letteer, chief of the Marine Corps' Cybersecurity Division. Letteer, speaking on the same panel, said the Marine Corp. uses its Cyber Range to "test the [expletive] out of systems" it plans to deploy to produce quantifiable data on them that can be addressed.

Martin Stanley, the branch chief of the Department of Homeland Security's Cybersecurity Assurance Branch, said his agency has found that below the need for cyber specifications, lies a more fundamental requirement to get basic IT practices and governance in place. "We share a lot of the same findings in civilian agencies and we're focusing on securing high value assets" under the president's Cybersecurity National Action Plan. As that assessment moves along, he said, the agency is finding that "basics matter."

DHS' review of other federal agencies under CNAP has found that some system's boundaries aren't well known by some operators, and that others have segmentation issues.

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Thu, Oct 20, 2016 SpudmanWP CA

Please stop perpetuating the myth that ALIS can keep the F-35 from flying. Not only is this not true, there are multiple levels of ALIS (global, national, regional, unit, etc) that would ALL have to be brought down in order affect the F-35 operations for any length of time.

Thu, Oct 20, 2016 David Lightman

....and to do any of this you have to have feds who understand cyber security to the degree to and with the responsibility to create the contract language necessary to hold the FFP contractors like Lockheed accountable. The gaping hole here is the knowledge of technology in the contracting ranks. The consolidation of contracting over the last 10 years as a competency independent of technology was the nail in the coffin. We'd never get to the moon today. Too bad all the leaders who could fix this just want to work for Lockheed when they retire.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group