The Lockheed Martin F35 fighter jet plane, also known as the Adir, in a test flight.
(photo credit: LOCKHEED MARTIN AERONAUTICS/ LIZ LUTZ)
The software of Western aircraft such as the F-35, the new prize in the Israel, US and other air forces, can be hacked by certain adversaries, but adapted hardware can be installed that can’t be hacked, IMI Systems cyber director Maj. (res.) Oren Bratt said at a cyber conference in Latrun, west of Jerusalem, on Thursday.
Bratt screened television footage of South Korean officials expressing concerned about their country’s purchase of the F-35 fifth-generation combat aircraft, due to its vulnerability to hackers, and asked to the audience rhetorically, “Now that you have heard this, is anyone still ready to get into that airplane?”
His message was that cyber risks such as the recent worldwide ransomware attack were small beans compared to cyber threats that endanger human life and could occur at any moment.
He said “that networks are vulnerable and IT supports most critical systems – we know this,” but the “cyber super effect is about to happen,” when cyber hacking will “create chaos by interrupting life-support systems.”
At that point the phrase “No one died from it is not true anymore,” and any “system can harm the user by malfunctioning,” Bratt said.
The solution for both aircraft and other systems which, if hacked, could lead to deaths, is to design the hardware to function even in the event of a successful hack, he said.
For aircraft this means installing an engine that the software in the jet cannot turn off. Bratt said the key was designing hardware that will work even if software malfunctions because of a defect or a cyber attack.
Going forward, he said, there can be no development of systems without planning defense from the start, because the systems won’t work if “defense is not an integral part of the design from the start.”
Asked about currently operating aircraft, which were not designed with this hardware defense in mind, he said that the matter was classified, but it can be assumed that efforts are ongoing to update and improve the cyber defense systems of existing aircraft.
IDF cyber chief Maj.-Gen. Nadav Padan spoke next, giving a broad outline of the Computer Service Directorate’s role and goals.
“The digital age changes are not merely a change in technology... but also in our experience” of life in a range of areas, Padan said.
“It is very hard to know where we are going” in the cyber realm, with “international law and conventions not being settled until the practice of nations is settled,” he said.
Strong rules regarding the use of cyber tools against other nations will likely not be set until “a great crisis or when a great power takes the game into their own hands,” he said.
“Right now” the ambiguity of what cyber tools can be used against other nations “serves everyone” too well for agreements to be reached on standards, the general said.
One achievement was improved training for recruits to the IDF’s cyber-related units, he said.
A major challenge in the IDF was making cyber user-friendly enough to be relevant.
“Seventy percent of cyber [work in the military] is operational,” and cyber must “evolve into whatever fighters need and only what they need – otherwise it just confuses fighters,” he said, adding that sometimes field inspections find that only 30-40% of developed cyber abilities are used.
Padan discussed the debate within he IDF in recent years about whether to unify all cyber-related areas into a Cyber Command as in the US military, or keep offensive and defensive cyber areas separate, with the second approach winning out thus far.
He did note that his division has added officers with dual cyber and intelligence functions, even as the Military Intelligence Directorate has maintained its own cyber elements.
Finally, Padan said that “our defense must be constantly changing” and be a moving target, since any cyber defense that is stagnant, no matter how strong, is an easy target simply because its weaknesses can be mapped out and remain static.
In contrast, a constantly changing cyber defense structure can confuse an attacker, and by the time the attacker figures out a plan for cracking the defense, he may it has changed.