by Stephen Bryen

China is about to show off the new J-20 jet fighter-interceptor at the Air Show China in  Zuhai.  The J-20 is a knock-off of the F-22.  China is also working on the J-31, which is a copy of the F-35.  Assuming that China has got the stealth, radars and other electronics right, and has a capable engine to power these jets, she will leapfrog her place in aerospace, putting China ahead of Russia and Europe and in capability close to the United States.

China J-20 copy of F-22

Naturally China’s acquisition of technology to build this platforms represents a strategic threat in Asia and beyond, because there is every reason to think that China will use these aircraft to forward its dominant position over Japan and other US allies, to further intimidate Taiwan and as an export opportunity to countries willing to buy from China.  Iran will be first in line though the Iranians will especially want the J-20 but the J-31 would give Iran the ability to block threats from Israel and Saudi Arabia and even give the F-22 problems operating in the area of Saudi Arabia and the Persian Gulf.

Where did China get the technology?  The answer is easy.  China stole it, and got most of it by sucking the information out of computers belonging to American defense contractors.  According to the National Security Agency, China was able to download more than 50 terabytes of data, primarily from Lockheed Martin, the company that produced the F-22 and is now manufacturing the F-35.  But China also got into the computers of many of the subcontractors for these aircraft, and we lack a full accounting of just what was taken.  In fact, the US never officially announced any investigation or did anything to change how data is protected.  Lockheed said “not to worry” since the stolen data was all unclassified.  But the truth is that over 90% of aircraft design information is unclassified –the number may actually be above 95% so the theft of such information is a vast danger to national security.  It makes it easy for China, and any other country that wants to steal American defense information, to get a vast amount of data and to narrow the list of what they need to obtain through more classical spying.  China has plenty of spies in the United States and, while a few have been caught, it is likely there are many more.  Furthermore there are always people who want to get rich quickly and are willing to sell secrets.

US cyber security is a huge scandal because there isn’t any.  Most of the computer terminals, routers and other hardware used by the US government, the military and by defense contractors are commercial off the shelf systems (called COTS in the trade).  COTS computers, routers, circuit boards, sensors, keyboards, modems and even processor chips and computer memory devices are made in China.  We know that most of them are bugged, although the only case where the military actually did anything was over the use of memory sticks in Iraq and Afghanistan.  They were banned and eventually replaced with so-called secure memory sticks.  But since no flash memory based system is ever secure the US is even less secure than before because the Chinese and Russians know exactly who makes these so-called safe memory sticks and can easily target them.

Even worse, as we move into cloud computing, it is ever easier for an adversary to bust a cloud system and take everything stored in them.

The US decision to use COTS was originally based on two factors: lower cost and more frequent technological growth than in government-produced  systems. To accommodate COTS the Pentagon quietly gave up on its Tempest program for computers in the Defense Department, not because it did not work (it worked fine) but because it was in the way of COTS adoption.  The Pentagon claimed at the time that since the Russian threat had lessened we did not need Tempest systems any more.  But this was just nonsense and not very clever nonsense either.  It was a bow in the direction of Silicon Valley that manufactures almost everything outside the United States, mostly in China.

There is almost no prospect that the Defense Department or the US government will fix the COTS problem which threatens to continually undermine national security and eviscerate defense investments.  Why? There are thousands of companies making a lot of money selling so-called “solutions” for cyber security to the US government.  It has grown to a multi billion dollar business that, despite the empirical evidence of complete failure, continues to get more and more money from government budgets.  The government still thinks that if it throws enough of taxpayer money at a problem, the problem will miraculously get fixed.

There is no fix to bugged hardware, compromised software, and vulnerable systems that share the internet highway with every type malefactor that exists in the world.  The only solution is to replace all of it with secure systems made from safe hardware that is not outsourced to China and does not have foreigners working on the operating code.   A really secure system would be made up of highly compartmented segments designed by trusted organizations where the workers all have security clearances and where solid security practices are in place.  In short, the solution is Anti-COTS.

COTS is how we helped China steal the F-22 and F-35.

Nonetheless the government and its advisers are still pushing COTS and think it is a great thing.  Really?

The step we need to take is to dump COTS as I outlined above. If we don’t take this step and soon, we can stop manufacturing the F-35 and retire the F-22.  They won’t produce the combat dominance we invested in.  Why spend a trillion dollars or more for compromised systems?