Dozens of times in the last decade, I’ve encountered information security tropes about cyber-espionage, usually accompanied by a pair of pictures:

The plane on the left is an F-35, the plane on the right is a Chengdu J-20. There is considerable similarity. But the people who are pursuing the “Chinese stole the F-35” line of argument usually stop after they’ve shown the front view.

 

Let’s rewind a bit: in 2007 it was disclosed that a load (about 14tb) of design documents including CAD files for F-35 had leaked out via multiple avenues. All of the leaks happened as a result of preparation meeting opportunity: poor security and practices attacked using fairly typical hacking techniques, mostly phishing and malware. I don’t consider any of the successful attacks to be particularly sophisticated, which is important when you remember that the US Government’s “attribution” of attacks seems to hinge on “it was sophisticated, therefore it was state-sponsored.” These were attacks that any well-prepared, caffeinated, and motivated hacker could have done.

Part of the problem is that a program like the F-35 has a huge attack surface. Obviously, you have Lockheed Martin – a $46billion/year company with  126,000 employees worldwide. But then you have all the contractors, subcontractors, and even other nations involved. One of the reasons that the attack surface of the F-35 program is so huge is because the pork was spread around (in order to make the program harder to cancel) – including to some places it probably shouldn’t have been. One of my colleagues who was peripherally involved in analyzing the F-35 leaks says that some of them appear to have originated through a Turkish contracting company.* There’s no need to hack Lockheed Martin if you can hack the people Lockheed Martin send design documents to. And that’s one of the things that appears to have happened with the F-35.

From the F-35 program site:[1]

Below are details on the 10 Turkish companies who have supported the development and/or production of F-35 / F135.

• Alp Aviation has been supporting the program since 2004 and currently manufactures F-35 production airframe structure and assemblies, production landing gear components and over 100 F135 production engine parts to include titanium integrated blade rotors.
• Aselsan is developing manufacturing approaches for advanced optical components, which are part of the F-35 Electro Optical Targeting System. They are also working with Northrup Grumman on the F-35 CNI Avionic Interface Controller and will initiate full scale production activities in the near term.
• Ayesas currently is the sole source supplier for two major F-35 components – missile remote interface unit and the panoramic cockpit display.
• Fokker Elmo manufactures 40 percent of the F-35 Electrical Wiring & Interconnection System (EWIS) and will also deliver and support TAI with all center section wiring systems. Fokker Elmo is also developing the EWIS for the F135 engine, for which a major share is produced in Fokker Elmo Turkey in Izmir.
• Havelsan has been supporting the F-35 training systems since 2005. Additionally, Havelsan has been instrumental as the Turkish lead for developing the construct of the future Turkish F-35 Integrated Pilot and Maintenance Training Center (ITC) and associated training systems in Turkey.
• Kale Aerospace has been supporting the F-35 since 2005. In conjunction with Turkish Aerospace Industries, they manufacture and produce F-35 airframe structures and assemblies. Kale Aero also supports Heroux Devtek as the sole source supplier for all three variants landing gear up lock assemblies. Additionally, Kale Aerospace has also established a joint venture in Izmir with Pratt & Whitney and is manufacturing production hardware for the F135 engine.
• MiKES has supported the F-35 Program during SDD delivering F-35 aircraft components and assemblies for BAE Systems and Northrop Grumman
• ROKETSAN and Tubitak-SAGE are the Turkish joint leadership team who strategically manage the development, integration, and production of the advanced precision-guided Stand-off Missile (SOM-J) which will be carried internally on the 5th Generation F-35 aircraft. Additionally, Lockheed Martin Missiles and Fire Control has partnered with Roketsan, through a teaming agreement, to jointly develop, produce, market and sell the advanced, precision guided Stand Off Missile – Joint Strike Fighter (SOM-J).
• Turkish Aerospace Industries (TAI) has been strategically supporting the F-35 Program since 2008. The company currently supplies production hardware that goes into every F-35 production aircraft. In conjunction with Northrup Grumman, TAI manufactures and assembles the center fuselages, produces composite skins and weapon bay doors, and manufactures fiber placement composite air inlet ducts. Additionally, TAI is strategically manufacturing 45 percent of the F-35’s including Air-to-Ground Pylons and adapters which is Alternate Mission Equipment (AME).

In this example, I’m not pointing specifically at Turkey; this is just a way of illustrating the size of the attack surface on a program like this. For one thing, if a hacker wanted to learn about the wiring systems of the F-35, from which one might learn a great deal, according to the F-35 program site, they might want to go after Fokker Elmo.**  Besides, you might learn a thing or two about the electrical system of Saab Gripen and Viggen, as well as Airbus passenger aircraft while you’re at it.***

The question is always what you learn, and the significance of the intelligence. One thing that drives me absolutely bonkers whenever the F-35 leaks come up is the assertion that the Chengdu J-31 is ripped off design of the F-35. If you look at the picture I started with, ok, maybe that could be true. If you look at another picture of the J-31, no, it’s clearly not the case.

There are some surface similarities (they are both shaped roughly the same)

The most obvious difference is that the J-31 is a twin engine aircraft and the F-35 is single-engine. In terms of design, that changes practically everything about a fighter jet. It affects balance, fuel capacity, airflow, stealth, positioning of weapons bays, avionics… It doesn’t affect the outward appearance much but it’s not quite as simple as saying that the J-31 is merely a twin-engine copy of an F-35.

There is no question that an aircraft designer can learn all kinds of interesting things from plans for a competitive jet. But if someone is making it sound like the Chinese just copied the F-35, they probably have minimal understanding of what makes a jet, or a jet fighter, or a good jet fighter, or why the F-35 is not a good jet fighter.

Now let’s look at a few more military jet aircraft:

The J-20 doesn’t look much like an F-35 from the top, does it? And the SU-50 has some visual resemblance to parts of the F-35, except that it’s much broader because it’s a twin-engine design depending on much larger engines than the J-20 has or the single engine of the F-35. When I first started encountering the claims of Chinese design-stealing, the pictures were of the J-20 (front on) compared to the F-35.

Now that there’s the J-31 to post pictures of, the “Chinese stole plans” crowd are posting comparisons with that aircraft instead of the J-20 because they don’t have to carefully position their camera to hide the front canards on the J-20 (clearly visible here) to make it look more like an F-35. As you can tell from the top view, the aircraft show very little resemblance except that they all are dealing with the same tradeoffs regarding air flow, cockpit position and visibility, air intake, and rudder/tail assembly. A lot of those design tradeoffs are automatically constrained by the reality of combat role, stealth and supersonic flight.

There are definitely things that can be learned from an opposition force’s plans! Edward Snowden’s leaks included a slide from NSA that is a more sober analysis of some of the things Chinese aeronautical engineers may have learned from F-35 plans:

Looking at that slide, I’m not sure how much of even the stuff NSA calls out as useful is actually useful. For example F-35 heat contours are going to make no difference whatsoever to a twin-engine J-20 or J-31: the F-35’s notorious heat problems are because they’re running the engine extra hard to make up for the fact that there’s only one of them. Without a doubt, there are clever design features in the F-35 that are going to find their way into other aircraft. But I’d say that was inevitable given the size of the F-35 program and the sheer number of cooks in the kitchen: you cannot keep the sauce secret when 100,000+ people have access to the recipe.

The funny part about this whole kerfuffle is that the US should have stolen its own design, namely, the F-16, and improved/updated that instead of designing the F-35 in the first place. The Chinese certainly haven’t stolen the F-35 design so that they could copy the F-35; they’re not that stupid. Nobody in their right mind wants F-35s.

Here’s another weird/odd skeptical point regarding the F-35/J-31 question: the same people who are screaming about Chinese cyberespionage allowing them to copy the F-35 are screaming that the J-31 is a serious threat to US air hegemony. Well, then, I guess it’s not a copy of the F-35, is it?

Secondly, when people say per [2] that “F-35 secrets are showing up in Chinese stealth fighters” how do they know that? Presumably the Chinese stealth fighters are secret, too. I assume that they’re either going based on anonymous assertions from the US government, or they’re going based on pictures of the outside of the aircraft. In other words: they know nothing.

Finally, here’s another thing: the software for the F-35 is not finished now and it wasn’t even close in 2007 when the plans leaked. Considering that Lockheed Martin is sweating over getting the software to the point where the aircraft’s weapons system and flight controls work, now it hardly seems like the Chinese would just start launching fly-by-wire stealth aircraft based on that. And it’s not as though there’s an open source stealth fighter avionics software package you can download for your favorite linux distro. Getting this stuff working is hard – insanely hard – and when I see sloppy accusations of Chinese technology espionage I wonder if what’s really going on is frankly racist: the Chinese couldn’t possibly make something as cool as an F-35 on their own because they’re not, uh, what? American? During the run-up to the Japanese attack on Pearl Harbor a lot of the European powers and the US dismissed the Japanese as practically savages and the fact that the Japanese could fight pretty well was the truly big surprise of Pearl Harbor. What’s going on here with the Chinese/F-35 espionage story appears to be that the Americans can’t believe that the Chinese (1/4 of the world’s population, and the manufacturing hub of a tremendous amount of high tech) could make a decent airplane without stealing the ideas from Americans. But, actually, if they had stolen the plans for the F-35 and copied it, they wouldn’t be making a decent airplane at all – they’d be making an overpriced turkey.

(* It’s actually kind of sad: if you google search for “F-35 plans leak turkey” you’ll get endless pages about what a ‘turkey’ the F-35 is.)

(** A German company, FWIW)

(*** Fokker Elmo makes those electrical systems, too!)

[1] F-35 Lightning II Website: Turkey Participation

I4u: Chinese Test F-31 Stealth Fighter, Cheaper Competitor to F-35 (Notice how they accidentally turned the J-31 into an F-31? Makes it sound a lot more like an F-35. Probably an innocent error.)

[2] Washington Times: Top Gun Takeover: Stolen F-35 Secrets Showing Up In Chinese Stealth Fighter

Vice News: Man Who Sold F-35 Secrets to China Pleads Guilty

Epoch Times: Were the F-35 Plans Deliberately Leaked to China So They Could Build J-31 Fighter (Put your tinfoil hat on!)

Epoch Times: Snowden Confirms Chinese Hackers Stole F-35 Plans, Used to Build Superior Fighter J-31 (Keep your tinfoil hat on!)