Give Now

We must close the loophole that allows law enforcement to buy our personal data without a warrant.

Championing Responsible National Security Policy
|
Analysis

Use of Chinese Material in F-35 Highlights Pentagon’s Complexity Problem

(Illustration: Renzo Velez / POGO)

Pentagon leaders paused delivery of new F-35s after revealing a supplier used a Chinese-made alloy in a component. The program’s complexity created the need for vast numbers of suppliers, which made this development almost inevitable.

A magnetic component inside the F-35 contains an alloy of cobalt and samarium manufactured in China. Pentagon leaders were quick to say the presence of the alloy did not compromise the aircraft since it posed no risk to flight safety and did not transmit any information. While this latest development has received plenty of attention, the presence of Chinese-made components, and magnets in particular, is not new to the program. Frank Kendall, while serving as the Pentagon’s top acquisitions official during the Obama Administration, signed waivers to include Chinese-made parts in the F-35 in 2012 and 2013.

The overall impact on the F-35 program in this instance may be minimal, but this case highlights an inherent problem with almost all modern weapons systems. The complexity of weapons today and the practice of creating as many subcontracts as possible for political purposes sets the conditions for faulty, unwanted, or potentially harmful items to find their way into the final product. The F-35 program’s various mission systems, structural components, and ground-based supporting architecture are manufactured by thousands of suppliers around the world. Lockheed Martin, the prime contractor for the F-35 program, boasts on its website that there are more than 1,500 companies worldwide building parts for the program.

The component at issue in this case, the F-35 turbomachine, illustrates just how complex the supply chain is for even one part. Honeywell manufactures the turbomachine, which provides power when starting the engine. Officials at Honeywell learned about the use of Chinese-made alloy in its product when its supplier of lube pumps reported that its supplier of magnets had used the alloy. For those keeping count, the item passed through five different companies to make it into the F-35: the alloy manufacturer, the magnet supplier, the lube pump supplier, Honeywell, and finally the prime contractor Lockheed Martin.

The Pentagon’s top acquisition official, Bill LaPlante, admitted how difficult it is for the services and the defense industry to track materials through the supply chain. He told Bloomberg News, “I had [a] CEO tell me two weeks ago that he thought he had 300 suppliers and he discovered when he counted all of the suppliers he probably had 3,000, and suppliers can change overnight.”

The overall impact on the F-35 program in this instance may be minimal, but this case highlights an inherent problem with almost all modern weapons systems.

It may have been just an alloy this time, but the next case could be something far more critical. If the part had been a computer chip, it would have been possible for the manufacturer or an infiltrator to install malicious firmware, which could have catastrophic consequences. This is not mere speculation. Tech researchers discovered in July 2022 a new rootkit malware called CosmicStrand that infects Windows operating systems. This strand of malware is embedded in the firmware of the affected computer’s motherboards. The researchers say CosmicStrand uses similar code patterns as other malware strands created by Chinese-speaking cyber attackers.

When the CEO of a defense contractor underestimates his supply chain by a factor of ten, it is hardly unreasonable to suspect there may be other components of dubious origin lurking inside the F-35. If even one of them is a chip sporting infected firmware, the entire aircraft could be compromised. The program is one of the most networked aircraft in history. One of Lockheed Martin’s selling points for the F-35 is its “sensor fusion,” referring to the way the onboard systems are linked together to feed all the information gathered to the pilot. That means that if one of those sensors is compromised, malicious software could spread to other onboard systems.

A threat actor would not even have to get an infected chip into the aircraft to cause problems. Because the F-35 needs to connect to a ground-based maintenance and information network to function, a compromised component could reside in any of the servers supporting the program, which could then distribute malware throughout the entire fleet.

We already know the Chinese have compromised the F-35 program. On at least three occasions beginning in 2007, Chinese hackers stole data about it. Pentagon officials believe the thefts helped Chinese designers develop their own advanced fighter jets, but the information could also be used to exploit cyber vulnerabilities in the program that have existed for years.

The suspect alloy went undetected by the Defense Contract Management Agency, the office with more than 11,000 employees charged with making sure government contracts are fulfilled to specifications.

Just as disturbing as the discovery of Chinese-made materials in the F-35 is how that lapse was discovered. The Pentagon only learned of the presence of the Chinese alloy because the contractor self-reported. The suspect alloy went undetected by the Defense Contract Management Agency, the office with more than 11,000 employees charged with making sure government contracts are fulfilled to specifications.

Civilian and uniformed military leaders need to ensure all the materials used on the F-35, let alone any other big weapons system, come from trusted suppliers so that everyone can be confident there are not dangers lurking within the enterprise.

That’s the short-term need now.

Looking ahead to future programs, designs should be heavily scrutinized to make sure we are not building in the means of our own defeat by loading weapons systems with overly complex and vulnerable technologies. The services should look for the simplest possible tools to perform their missions. If a reliable mechanical system works, it is probably the right solution. It may not be as exciting or sexy as a high-tech digital equivalent, but its supply chain will likely be smaller and provide fewer opportunities for adversarial actors to infiltrate.