Posts

Our Industrial Policy Is the F-35

screen-shot-2016-12-01-at-10-14-03-am

Lockheed photo.

With the news of Donald Trump’s deal to keep 1,100 of 2,100 Carrier jobs in Indiana, coastal elites appear to have just discovered tax-supported Midwestern manufacturing jobs, even as they continue to ignore tax-supported defense contractor (manufacturing) jobs.

As best as I can understand it from the details released so far, the deal may be best understood as a mix of typical state-level efforts combined with the leverage of a federal level effort. Over 25% of the jobs saved will be engineer and headquarter jobs — important for retaining technological capacity in the US, but not a big help to blue collar workers.

The package is reportedly substantially similar to one IN Governor and soon to be Vice President Mike Pence already offered.

UTC agreed to retain approximately 800 manufacturing jobs at the Indiana plant that had been slated to move to Mexico, as well as another 300 engineering and headquarters jobs. In return, the company will get roughly $700,000 a year for a period of years in state tax incentives.

Some 1,300 jobs will still go to Mexico, which includes 600 Carrier employees, plus 700 workers from UTEC Controls in Huntington, Ind.

That has commentators on all sides — from economists to Bernie Sanders — complaining that Trump just made it more likely companies will demand bribes to retain US based jobs in the future.

That’s of course a fantasy. Companies already demand bribes to keep jobs in particular states (or in the US generally).* This is just a typical deal — indeed, it was a typical failed deal until the guy making it became Vice President-elect thanks in part to his new boss’ running on making a better deal.

The way companies arbitrage states and countries to get the best deal to preserve jobs is not a good thing — at all. But it’s one that must be solved at a systematic level, a point Jared Bernstein made in the WaPo.

This sort of production cannot be sustained as some sort of non-competitive museum model, where we push back on trade-induced job losses through tax breaks and government contracts. True, governors and mayors commonly dole out such goodies as bribes to factories to settle in one state vs. another, but that’s a zero-sum game, and often ends up as a big waste of precious resources. Meanwhile, it’s also a game of corporate whack-a-mole. While Trump et al. were brokering this deal, nearby factories were packing up for Mexico.

As I recently wrote, we’ve generally failed to even try to implement a solution to this problem of global competition eroding our manufacturing base. A systemic approach, as opposed to what Trump is up to here, will require reducing our trade deficit in manufactured goods by pushing back against countries that manage their currencies to make our exports expensive and their exports cheap. It will require investments in advanced manufacturing so we can close the wage gap with productivity. It will require systemic state and older city economic development of the type economist Tim Bartik describes here and here. It may require direct job creation to employ displaced workers when none of the above comes through.

The key twist on this story, however, is that Carrier was convinced to deal when Trump started threatening that federal contracts with Carrier’s parent company, United Technologies, might be at risk if they didn’t.

John Mutz, a former Indiana lieutenant governor who sits on the [Indiana Economic Development Corporation’s] 12-member board, told POLITICO that Carrier turned down a previous offer from IEDC before the election. He said he thinks the choice is driven by concerns from Carrier’s parent company, United Technologies, that it could lose a portion of its roughly $6.7 billion in federal contracts.

“This deal is no different than other deals that we put together at the IEDC to retain jobs, but the fact is that the difference is that United Technologies depends on the federal government for lots of business,” Mutz said.

Kevin Drum — while citing a lot of health care and finance jobs (both heavily supported by federal policy) as the true job leaders in Indianapolis — considers the pressure on United Technologies to be an outrage.

This would be a massive abuse of power, of course, but who wants to take a chance that Trump cares? Probably not UT.

I actually think the deal ought to elicit a more interesting discussion of industrial policy — the kind of systematic intervention that Bernstein talks about that might actually do something about the hollowing out of America’s manufacturing base.

Such a discussion has long been forbidden in American political discourse, in part because the same economists pretending such whack-a-mole bribes haven’t become the norm in American political life also pretend that an unfettered “free” market (always defined to include mobile capital and goods, but not labor) will benefit everyone.

Yet even during the period when any discussion of industrial policy has been forbidden, we’ve had one.

Our industrial policy consists of massive US investments in manufacturing war and intelligence toys that we then sell to foreign governments. When done with Middle Eastern petro-states like Saudi Arabia, that trade goes a long way to equalize our foreign trade deficit, but it contributes directly to instability that then requires us to intervene and build more war toys. That investment in war leads, in turn, to a disinvestment in publicly funded infrastructure that could also provide jobs in the heartland.

The most obvious symbol of our unacknowledged industrial policy is the F-35, a trillion dollar federal investment for a plane that has yet to meet basic requirements, one beset by years of rework. As it happens, one of many causes of problems with the F-35 is big reliability problems with engines used in the plane. That makes those faulty engines, made by United Technologies subsidiary Pratt & Whitney, just another direct taxpayer investment in UTC jobs. Yet reliability problems didn’t prevent P&W from getting another contract for the F-35 engine earlier this year. Nor did P & W’s provision of attack helicopter technology to the Chinese via a Canadian subsidiary.

Our current industrial policy, you see, feeds so few prime contractors that they are virtually immune from the competition that might pressure them to deliver quality goods. Which leads, in turn, to rework, contract overruns, and contractors walking out of the building with our government’s most closely guarded secrets, all with no consequences.

Let’s stop pretending (as this piece does) that America’s manufacturing, increasingly dominated by the production of war toys, exists in a a real market, shall we?

Once we do that, we might begin to address the diseases of our defense contracting and — more importantly — rediscover the value of investing in other kinds of manufacturing that our country needs to have. Justify these investments by some future defense need, I don’t give a damn (though there are military officials who will soberly explain the risks of the hollowing out of our manufacturing base). But invest in the technologies the US needs to stay competitive and retain a manufacturing base.

There was a brief moment when Obama tried to do this by investing in battery factories in MI and other Rust Belt states, an investment justified because the US lagged so far behind South Korea on this critical technology. The investments were badly executed, and then later undermined by the KORUS trade deal. Republicans made them toxic with the Solyndra faux scandal. And so, rather than siting one after another killer app in locales whose older economies had failed, such efforts largely ended.

Imagine how the climate change negotiations might have changed, though, if they came with key investments in alternative energies in coal mining areas of West Virginia and Kentucky?

But this Carrier deal — no matter how much of a gimmick — should be an opportunity to shift the discussion. Trump (and Pence) just federalized the kind of deal every state makes out of desperation, pitting states against each other and Mexico and China. If they can do that, in part by leveraging federal contracting, then they can also pursue an honest industrial policy, one not dependent on selling war toys to our belligerent authoritarian friends overseas.

I doubt Trump will do that. But his Carrier deal ought to at least invite a debate about it.

Update: Added a link to the deferred prosecution for when Pratt & Whitney dodged export restrictions to provide technology to China.

Update: The other day Bloomberg did a review of the Department of Energy’s Loan Program Office, which funded Solyndra (but which, as was covered at the time, actually dates to W’s Administration) actually has been very successful.

Not only has the program’s loan portfolio generated about $1.65 billion in interest payments to date, its mission to support major energy projects fits into Trump’s goal of stimulating investment in the U.S., said Jonathan Silver, a former head of the loan programs office.

“The President-elect was talking directly about significant investments in infrastructure,” Silver said in an interview Monday at Bloomberg headquarters in New York. The program is intended to support not just clean-energy projects, but also industries Trump championed during the campaign, including coal, among other advanced fossil fuels. “This is infrastructure. It doesn’t get any more infrastructure-ish than this.”

The office dates to the George W. Bush administration and was designed to offer loan guarantees to innovative energy projects that struggle to get financing from commercial and investment banks. In some cases it also approved loans funded through the Federal Financing Bank.

It supported the first big solar farms in the country and helped commercialize solar-thermal systems, advanced nuclear designs, molten-salt storage and other technologies. It has yet to finance an advanced fossil-fuel project.


*Disclosure: My spouse works for a manufacturing company often touted, locally and nationally, as a huge success; it receives state tax credits.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Tuesday: Allez Vous F

J’adore Stromae. I’m not in the hip hop demographic, but Stromae — whose real name is Paul Van Haver — pulls me in. This multi-talented artist born to a Rwandan father and a Belgian mother pulls together multiple genres of music laced with compelling au courant lyrics presented with stunning visual effects — how could I not love him?

This particular song, Papatouai, has a strong psychic undertow. This song asks where Papa is; the lyrics and video suggest an emotionally or physically distant father. Van Haver’s own father was killed in the Rwandan genocide when he was not yet ten years old. Is this song about his own father, or about inaccessible fathers in general? The use of older African jazz rhythms emphasizes retrospection suggesting a look backward rather than forward for the missing father figure(s). More than a third of a billion views for this video say something important about its themes.

Much of Stromae’s work is strongly political, but it conveys the difficulty of youth who are multi-racial/multi-ethnic unsatisfied with the binaries and economic injustices forced on them by oldsters. A favorite among kids I know is AVF (Allez Vous Faire):

“Allez vous faire!”
Toujours les mêmes discours, toujours les mêmes airs,
Hollande, Belgique, France austère.
Gauches, ou libéraux, avant-centres ou centristes,
Ça m’est égal, tous aussi démagos que des artistes.


Go fuck yourselves!
Always the same words, always the same airs.
Holland, Belgium, France, austere.
Right or Left? Moderate or Extremist?
They’re all the same to me – the demagogues and the artists.

Remarquable et pertinent, non? I’m also crazy about Tous Les Mêmes, a trans- and cis-feminist song with a marvelous old school Latin beat simmering with frustration. But there’s not much I don’t like by Stromae; I can’t name a song I wouldn’t listen to again and again.

If you’re ready for more Stromae, try his concert recorded in Montreal this past winter. So good.

Expedition to the Cyber Pass

  • UK wireless firm O2 customer data breached and sold (BBC) — O2 customers who were gamers at XSplit had their O2 account data stolen. The approach used, credential stuffing, relies on users who employ the same password at multiple sites. Wonder how Verizon’s recent hiring of O2’s CEO Ronan Dunne will play out during the integration of Yahoo into Verizon’s corporate fold, given Verizon’s data breach? Will Dunne insist on mandatory 2FA policy and insure Verizon and Yahoo accounts can’t use the same passwords?
  • Speaking of Yahoo: 200 million credentials for sale (Motherboard) — Yahoo’s Tumblr had already been involved in a massive breach, now there’s Yahoo accounts available on the dark web. Given the Verizon breach already mentioned, it’s just a matter of time before these accounts are cross-matched for criminal use.
  • Oracle’s not-so-good-very-bad-too-many 276 vulnerabilities patched (Threatpost) — Whew. Two. Hundred. Seventy. Six. That’s a lot of risk. Good they’re all patched, but wow, how did Oracle end up with so many to begin with? Some of them are in products once owned by Sun Microsystems, including Java. Maybe Oracle ought to rethink Java’s licensing and work with the software community to develop a better approach to patching Java?
  • F-35 ready, says USAF — kind of (Bloomberg) — Massively expensive combat jet now up for ‘limited combat use’, except…

    The initial aircraft won’t have all the electronic combat, data fusion, weapons capacity or automated maintenance and diagnostics capabilities until the most advanced version of its complex software is fielded by 2018.

    Uh, what the hell did we spend a gazillion-plus bucks on if we don’t have aircraft with competitive working electronics?

Light load today, busy here between getting youngest ready for college and primary day in Michigan. YES, YOU, MICHIGANDER, GO VOTE IN THE PRIMARY! Polls close at 8:00 p.m. EDT, you still have time — check your party for write-in candidates. You can check your registration, precinct, ballot at this MI-SOS link.

The rest of you: check your own state’s primary date and registration deadlines. Scoot!

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.

Wednesday Morning: Full of Whoa

CapagnoloFrontBrakes_BillGracey-FlickrWhoa. Halt. Stop. The brakes need firm application, even mid-week.

Zika virus infects media with crappy reporting
I can’t tell you how many times in the last 24 hours I yelled at my computer, “Are you f****** kidding me with this crap?” With so many news outlets focused on hot takes rather than getting the story right, stupidity reached pandemic levels faster than mosquito-borne viruses. And all because Dallas County health officials and the Center for Disease Control used the words “sexually transmitted” in reference to a new Zika case in the U.S.

The following sampling of heds, tweets, and reports? WRONG.

  • US reports first case of sexually transmitted Zika in Texas (Gizmodo, io9)
    [Not the first sexually transmitted case in the U.S., just the first in Texas]
  • First US case of the Zika virus infection was sexually transmitted, officials say (Verge)
    [Not the first U.S. case of Zika virus]
  • The first known case of the #ZikaVirus contracted within the US confirmed in Dallas (Newsweek)
    [Not the first known case of Zika contracted within the U.S.]
  • The first case of the #ZikaVirus contacted within the US was through sexual transmission (Newsweek)
    [Neither the first sexually transmitted case in the U.S. or the first contracted within the U.S.]
  • The First Sexually Transmitted Case of the Zika Virus Is Confirmed in Texas (Slate)
    [Not the first sexually transmitted case in the U.S.]

The first case in which Zika virus was contracted inside the continental U.S. occurred in 2008. This was the first sexual transmission of the virus in the continental U.S. as well. Scientist Brian Foy had been studying Zika in Senegal during an outbreak; he had been infected by the virus, became ill, and was still carrying the virus when he came home to Colorado. His wife became infected though she had not traveled abroad, had not been bitten by a mosquito, and children residing in their home did not contract the virus. More details on the case can be found here.

The first cases of Zika virus in the U.S. in this outbreak were not locally transmitted inside the U.S., but contracted outside the continental 48 states and diagnosed on return here. States in which cases have been reported include Hawaii, New York, Virginia, Arkansas, Florida, and now Texas — in the case of the traveler who brought the disease home and infected their partner through sex.

It’s incredible how very little effort many news outlets put into researching the virus’ history or the case in Texas. Bonus points to Newsweek for trying to get it wrong in multiple tweets for the same story.

Best reporting I’ve read so far has been WaPo’s piece on the new Dallas cases, and WIRED’s collection of Zika reports. The CDC’s site on the Zika virus can be found here.

Gonna’ be a massive Patch Day for F-35 sometime soon
Whether or not Monday’s earthshaking sonic booms over New Jersey were generated by F-35 test flights, there’s still a long and scary list of bugs to be fixed on the fighter jet before it is ready for primetime. Just read this; any pilot testing these now is either a stone-cold hero, or a crazed numbnuts, and they’d better weigh between 136 and 165 pounds to improve their odds of survival.

Oral Roberts University mandates students wear FitBits for tracking
Guess the old “Mark of the Beast” is interpreted loosely at ORU in Oklahoma. Fitness is measured on campus by more than theological benchmarks. Begs the question: who would Jesus monitor?

The last straw: Fisher Price Wi-Fi-enabled toys leave kids’ info out in the open
Fisher Price is the fourth known manufacturer of products aimed at children and their families in which the privacy and safety of children were compromised by poor information security. In this case, Smart Toy Bears are leaking information about their young owners. Maybe it’s about time that either the FCC or FTC or Congress looks into this trend and the possibility toy makers are not at all concerned with keeping their youngest customers safe.

EDIT: #FlintWaterCrisis
Forgot to note the House Oversight and Government Reform Committee will hold a hearing on lead contaminated drinking water in Flint, Michigan at 9:00 a.m. EST. C-SPAN3 will carry the hearing live.

Tap the brakes a few more times before you take off, eh? It’s all downhill from here.

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.

Monday Morning: Java Junky Jonesing

This morning will not launch without coffee. I don’t care how you deliver it, just bring it or nothing will start and finish today without it.

Need more of it than usual given the wacky stuff I’ve been reading into the wee hours over the weekend — like this stuff:

Former DHS Secretary now University of California prez surveils staff emails
Holy cats. This is ugly. After an alleged network security breach in June last year at UCLA’s medical center, an outside party was contracted by University of California president Janet Napolitano to monitor networks at all of University of California’s campuses. Collection of content both inbound and outbound, in violation of UoC-Berkeley’s IT policy, is alleged. UCOP has been opaque about the reason for the monitoring or data collection. Keep an eye on this case.

DDoS attack on HSBC crimps UK freelancers’ tax filing
The end of January in the United Kingdom is the filing deadline for the self-employed. Unfortunately, those who banked with HSBC lost access to their records for roughly four hours on Friday due to a distributed denial of service (DDoS) attack. It’s the second service outage inside a month for HSBC. The last outage lasted roughly two days but was not attributed to a DDoS.  If UK lawmakers were testy after the first outage in January, they’re going to be ugly today.

Oil crash: massive wealth transfer, or increased dependency on oil?
Francisco Blanch, Commodities and Derivatives Strategist at BofA Merrill Lynch, claims plummeting oil prices have transferred roughly $3 trillion to consumers away from oil producers, and the resulting uptick in consumption will spur the economy. This assumption neatly ignores the likelihood consumers will have to pay one way or another for increasing losses due to unchecked climate change. Buying more insurance against weather damage and paying more taxes to replace infrastructure, as well as paying more for food due to crop losses won’t stimulate anything but consumer frustration.

War of words inside military about F-35’s readiness
In a December memo, the Defense Department’s director of operational test and evaluation Michael Gilmore wrote that the Joint Program Office’s July 2017 deadline for the F-35 jet’s full warfighting capability is “not realistic.” Software completion, testing and debugging is the risk. Folks in JPO are pushing back, with at least one official grousing online. So not cool, JPO. Address the concerns and then get to work on that software. Americans are paying for a working jet, not trash talk on Facebook.

Speaking of military…Sonic boom(s) caused minor earthquake in New Jersey
Just for fun, browse through a Twitter search for tweets from last Friday. Something caused more than one sonic boom — perhaps as many as nine — loud enough to register as an earthquake on USGS’ meters. At first, the military said it knew nothing about it, claiming there are no training exercises or other missions in the area. NASA’s Wallops Flight Facility-Virginia, Federal Aviation Administration, and the North American Aerospace Defense Command had no knowledge of flights in the area capable of generating sonic booms. But then the Navy piped up later, saying the Naval Test Wing Atlantic had been conducting test flights. Though not named, the F-35 fighter is believed to be the source of the booms. Were JPO and Lockheed Martin trying to make a rather loud and indiscreet point?

Or were the sonic booms due to some other unknown/unspecified cause, given Joint Base McGuire-Dix-Lakehurst’s inability to explain the booms when asked? USGS’ website is still taking feedback from folks in New Jersey — did you feel the earth move, too?

Time to taper off from espresso and move to an Americano. Hope your Monday is as caffeinated as you need it to be.

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.

America’s $1 Trillion Target Barge

The NYT has a story about a mock US aircraft carrier Iran is building, its sources say, so Iran can blow it up for the propaganda value.

Iran is building a nonworking mock-up of an American nuclear-powered aircraft carrier that United States officials say may be intended to be blown up for propaganda value.

This has set off chatter about how weird and dumb Iran is for building this giant toy boat, which US sources call the Target Barge.

But pretty soon after I started reading the article I found myself applying the phrases in it to America’s F-35 program which, in many ways, is an even bigger propaganda prop. See how it looks when you swap out Iran’s barge for the F-35?

Intelligence officials do not believe that the US is capable of building an actual F-35.

“Based on our observations, this is not a functioning plane; it’s a large spending program built to look like an plane,” said Cmdr. Jason Salata, a spokesman for the Navy’s Fifth Fleet in Bahrain, across the Persian Gulf from Lockheed. “We’re not sure what the US hopes to gain by building this. If it is a big propaganda piece, to what end?”

[snip]

“It is not surprising that American military forces might use a variety of tactics — including military deception tactics — to strategically communicate and possibly demonstrate their resolve in air power,” said a Chinese official who has closely followed the construction of the F-35.

[snip]

[T]he Pentagon has taken no steps to cloak from prying Chinese hackers what it is building in pork-laden building sites across several countries. “The system is often too opaque to understand who hatched this idea, and whether it was endorsed at the highest levels,” said Karim Sadjadpour, an American expert at the Carnegie Endowment for International Peace.

See what I mean?

Opacity of purpose.

Failure to provide adequate security.

Probable impossibility to bring to completion.

Abundant propaganda.

I’m not all that sure what distinguishes the F-35 except the cost: Surely Iran hasn’t spent the equivalent of a trillion dollars — which is what we’ll spend on the F-35 when it’s all said and done — to build its fake boat.

So which country is crazier: Iran, for building a fake boat, or the US for funding a never-ending jet program?

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Time to Out the Cyber-Insecure Defense Contractors

In its latest update on Chinese hacking of our defense programs, WaPo provides a list of defense programs that have been compromised, which includes many of our most important and error-prone programs.

The designs included those for the advanced Patriot missile system, known as PAC-3; an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD; and the Navy’s Aegis ballistic-missile defense system.

Also identified in the report are vital combat aircraft and ships, including the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship, which is designed to patrol waters close to shore.

Also on the list is the most expensive weapons system ever built — the F-35 Joint Strike Fighter, which is on track to cost about $1.4 trillion. The 2007 hack of that project was reported previously.

WaPo also, having seen classified sections of a report that had previously been released in unclassified form, also places more emphasis on the potential impact not just of cybertheft, but cyber-sabotage, than it has in the past, basically pointing to this section of the report itself.

 

The threats described in the previous section [which focus on sabotage at the microchip level] may impose severe consequences for U.S. forces engaged in combat:

  • Degradation or severing of communication links critical to the operation of U.S. forces, thereby denying the receipt of command directions and sensor data
  • Data manipulation or corruption may cause misdirected U.S. operations and lead to lack of trust of all information Weapons and weapon systems may fail to operate as intended, to include operating in ways harmful to U.S. forces
  • Potential destruction of U.S. systems (e.g. crashing a plane, satellite, unmanned aerial vehicles, etc.).

At the national level, one could posit a large-scale attack on the U.S. critical infrastructure (e.g., power, water, or financial systems). An attack of sufficient size could impose gradual wide-scale loss of life and control of the country and produce existential consequences.

WaPo also provides a hint at our solutions and Chinese counter-responses. That is, as our prime contractors have become more adept at cyber-security, China has moved onto attack subcontractors.

In an attempt to combat the problem, the Pentagon launched a pilot program two years ago to help the defense industry shore up its computer defenses, allowing the companies to use classified threat data from the National Security Agency to screen their networks for malware. The Chinese began to focus on subcontractors, and now the government is in the process of expanding the sharing of threat data to more defense contractors and other industries.

Yet the government won’t take the obvious step of tying ongoing contracts to cyber-security, instead requiring only that contractors provide the government notice of cyber-attacks.

An effort to change defense contracting rules to require companies to secure their networks or risk losing Pentagon business stalled last year. But the 2013 Defense Authorization Act has a provision that requires defense contractors holding classified clearances to report intrusions into their networks and allow access to government investigators to analyze the breach.

What’s most interesting about all this, though, is that the report (at least the classified list the WaPo saw) didn’t identify via which contractors in the supply chain China hacked these programs. But the US is not, apparently, keeping all of that information secret from China.

U.S. officials said several examples were raised privately with senior Chinese government representatives in a four-hour meeting a year ago. The officials, who spoke on the condition of anonymity to describe a closed meeting, said senior U.S. defense and diplomatic officials presented the Chinese with case studies detailing the evidence of major intrusions into U.S. companies, including defense contractors.

[snip]

The list did not describe the extent or timing of the penetrations. Nor did it say whether the theft occurred through the computer networks of the U.S. government, defense contractors or subcontractors.

So if the government is sharing at least some details of what it knows about China’s hacks with China, then why is it keeping details about which contractors taxpayers are paying lots of money for cyber-attack induced rework to? Why can’t it provide at least skeletal information about which contractors have let China compromise our security so much?

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Hackers Penetrate Freedom; The Ship Has Already Sailed

Reuters has a report I found sort of punny, about how white hat hackers had managed to break into the computer systems of the lead ship of the Navy’s Littoral Combat Ship program, the USS Freedom.

A Navy team of computer hacking experts found some deficiencies when assigned to try to penetrate the network of the USS Freedom, the lead vessel in the $37 billion Littoral Combat Ship program, said the official, who spoke on condition of anonymity.

The Freedom arrived in Singapore last week for an eight-month stay, which its builder, Lockheed Martin Corp., hopes will stimulate Asian demand for the fast, agile and stealthy ships.

It may be ironic that Lockheed had a ship get hacked just before it sent the ship out on a sales trip to Asia. (Asia! Where our most fear hacking-rival is!)

But … um, Lockheed?

Lockheed, of course, couldn’t keep the F-35 program safe from hackers either, and that time it wasn’t white hats doing the hacking.

Before the government imposes fines for companies unwilling to sacrifice the security of their systems to program in a backdoor, as the WaPo reports is being debated …

A government task force is preparing legislation that would pressure companies such as Face­book and Google to enable law enforcement officials to intercept online communications as they occur, according to current and former U.S. officials familiar with the effort.

[snip]

Susan Landau, a former Sun Microsystems distinguished engineer, has argued that wiring in an intercept capability will increase the likelihood that a company’s servers will be hacked. “What you’ve done is created a way for someone to silently go in and activate a wiretap,” she said. Traditional phone communications were susceptible to illicit surveillance as a result of the 1994 law, she said, but the problem “becomes much worse when you move to an Internet or computer-based network.”

Marcus Thomas, former assistant director of the FBI’s Operational Technology Division, said good software coders can create an intercept capability that is secure. “But to do so costs money,” he said, noting the extra time and expertise needed to develop, test and operate such a service.

… Maybe we ought to instead focus on Lockheed’s apparent inability to keep the hundreds of billion dollar weapons systems it produces safe from hackers?

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

What if China Not Just Hacked — But Sabotaged — the F-35?

Screen shot 2013-02-24 at 10.24.35 AM

Over the last week, two perennial stories have again dominated the news. China continues to be able to hack us — including top DC power players — at will. And the F-35 has suffered another setback, this time a crack in an engine turbine blade (something which reportedly happened once before, in 2007).

The coincidence of these two events has got me thinking (and mind you, I’m just wondering out loud here): what if China did more than just steal data on the F-35 when it hacked various contractors, and instead sabotaged the program, inserting engineering flaws into the plane in the same way we inserted flaws in Iran’s centrifuge development via StuxNet?

We know China has hacked the F-35 program persistently. In 2008, an IG report revealed that BAE and some of the other then 1,200 (now 1,300) contractors involved weren’t meeting security requirements; last year an anonymous BAE guy admitted that the Chinese had been camped on their networks stealing data for 18 months. In April 2009, WSJ provided a more detailed report on breaches going back to 2007.

The Joint Strike Fighter, also known as the F-35 Lightning II, is the costliest and most technically challenging weapons program the Pentagon has ever attempted. The plane, led by Lockheed Martin Corp., relies on 7.5 million lines of computer code, which the Government Accountability Office said is more than triple the amount used in the current top Air Force fighter.

Six current and former officials familiar with the matter confirmed that the fighter program had been repeatedly broken into.

Read more

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.