Veteran Talk: Latest Authentication Trends for Service Members in the Field

Veteran Talk: Latest Authentication Trends for Service Members in the Field

Q&A with Air Force Reserve Col. Tri Trinh (ret.) and Navy Reserve Senior Chief Petty Officer Alex Antrim (ret.).

Q: What was your personal experience as a member of the military, and what made you look into non-CAC authentication alternatives? 

Tri:

In 2019, I was a Colonel in the Air Force Reserve on full-time military orders working at the Pentagon under the Secretary of the Air Force Chief Data Office. I helped deploy the Air Force Connect enterprise mobile app as a Spark Tank project. AF Connect had a CAC feature that used a mobile CAC reader and physical Common Access Card (CAC) to authenticate into CAC-enabled sites. The footprint of a mobile CAC reader and CAC card sticking out of a phone and tablet got old fast.

With the YubiKey from Yubico, I was able to use the DISA Purebred Registration Application to enroll and provision my YubiKey with my CAC certificates and PIN.

I was dual-hatted as a Squadron Commander at the time with a government issued iPhone. I turned in my government iPhone and used my personal phone to access .mil email. Having to carry an extra phone for email when I already had access with a YubiKey was a burden I didn’t need, so it really made my life easier. 

Alex:

As a Navy Reservist, I was not issued a government laptop or mobile device to perform military-based tasks. Reservists have to rely on their own devices when not in drilling status.  This meant buying my own smart card reader – sometimes more than one –  so I could use my CAC. With varying USB connections on my devices, it was hard to keep the right dongles at the ready. 

When I found out that YubiKeys were approved to hold DoD-issued credentials, similar to my CAC, I jumped at the chance to put one to use. I was able to find a Purebred agent in my Navy Reserve unit that helped provision my FIPS YubiKey with Purebred credentials. I was instantly impressed with how easy the YubiKey was used to authenticate into the Navy workstations in my unit’s computer lab.  When I plugged the YubiKey into the Navy desktop computer, it saw the credentials, asked for PIN, and I was logged into the workstation.

I had the same easy experience with YubiKey on my personal laptop, so I could check email and attend Teams meetings in between drill weekends. The last test was for my personal mobile phone which was successful too. I was able to shelve my smart card readers and get to work. 

How has authentication changed in the armed forces, and where do you see it going in the next decade?

Alex: 

The military is often slow to move on new authentication standards, so other than the shift from CAC credentials to the PIV standard (aligning with the federal government’s PKI), service members must still rely on smart cards to authenticate to devices and services. However, I can confirm people at high levels are looking closely at the most up-to-date FIDO2 standard and are working through testing. I hope and expect that soon there will be an approval document coming from the DoD CIO office. Flexibility is going to be really important to service members. A uniformed person should not have to worry about multiple CAC readers or what device is within reach.  All they need to have is their provisioned YubiKey, plug it into their device, and conduct business as usual.

Tri: 

The good news is that YubiKey is a multi-protocol authenticator, so it can closely follow the evolution path that DoD is on. Once DoD gives the green light on deploying FIDO2 credentials for stronger authentication, YubiKey is already FIDO2 compliant and the transition should be seamless. 

How does a hardware-based authentication device like the YubiKey make service members’ lives easier? 

Alex:

One important and positive difference between the YubiKey and the CAC is that no identifying and amplifying information is on the YubiKey. The CAC is instantly recognizable around the world as a form of identification for members of the U.S. Armed Services.  Service members serving overseas are taught to blend in and not draw attention to themselves (for good reason). But try doing that when a DoD identification card is hanging out of a laptop or mobile phone when you’re in public at a coffee shop! If it’s a dongle, or something larger like a reader, there’s a much higher likelihood that it breaks. A low profile device like the YubiKey ends up being a huge value-add to those serving outside the continental US. 

Tri: 

Definitely agree. And there are a number of other reasons you might want more flexibility and speed when you’re overseas. For example, you only get one CAC – if you lose it, you’re looking at weeks of downtime while you struggle to get a new one issued. But if you have a backup YubiKey in your kit, and you’re able to authenticate with it, you’ve solved that problem. Even if you don’t have a backup handy, getting a replacement can be done same-day, plus some shipping time, as you won’t have to go through the CAC-replacement channels. 

Speaking of “low profile,” are there other security concerns service members have that are avoided when you can authenticate without a reader? 

Alex: 

Well, as I mentioned, the port connections on different devices and laptops often require more readers than one person wants to carry while traveling or working in a non-military-base environment. Some readers have even been known to carry malware, as they are not required to have the same compliance checks as a YubiKey. So if a service member unwittingly gets a reader from some unauthorized provider, there’s a significant risk that it could be compromised and create a vulnerability. 

Tri: 

Right. CAC remains a very secure channel for authentication, especially when it’s used at sanctioned workstations or on base. When you’re talking about gaining access to a military installation, or proof of eligibility for healthcare and military benefits (e.g. commissary, BX/PX/NEX, billeting), then you’re still going to go with CAC. It’s not going anywhere.

But we live in a much more mobile work environment world than we did 20 years ago. So it’s worth discussing how we can augment current authentication in different contexts, especially mobile environments. How do we add value and make things easier to use for the rank-and-file servicemember who may be working at multiple sites, that’s what we’re working on improving. 

What other applications would strong non-CAC authentication have, the ones we may not immediately think about? 

Alex: 

I think mission partners are something to consider. The military works with so many mission partners that don’t have CAC-enabled ability to authenticate securely. 

DoD wants to maintain secure coalition networks for intelligence and data sharing with mission partners. Those networks often bring new authentication challenges. FIDO2 is an option to bring phishing-resistant MFA to non-CAC eligible mission partners that need to securely authenticate into a coalition network. 

Tri: 

There’s another benefit for those who have already served. If you’re working with a hardware-based key like a YubiKey, that can be carried with you once you are discharged from the service. So even after you no longer have a CAC, you can use a YubiKey to log on to VA services, the IRS, or other federal and state agencies that support FIDO2. 

Pentagon Aims to Stop China and Russia from Spying on Academia

Pentagon Aims to Stop China and Russia from Spying on Academia

The Pentagon is moving to block Chinese and Russian organizations from obtaining U.S. technology secrets through academia, according to a Department of Defense memo made public on June 30.

The memo, signed by Heidi Shyu, undersecretary of defense for research and engineering, lists more than 80 Chinese and Russian academic, scientific, engineering, or cultural institutions that have engaged in “problematic activity” geared at improperly gaining access to classified U.S. research or influencing teaching staff or students. The memo is a response to the 2019 National Defense Authorization Act, which sought a Pentagon response to foreign intelligence exploitation of U.S. academic institutions.

The memo requires a review of new research contracts and prohibits Pentagon money going to projects that involve one of the blacklisted entities, based on their previous track record in harvesting U.S. technology secrets, or simply having suspect relationships with Chinese and Russian intelligence organizations.  

Those on the list have “been confirmed as engaging in problematic activity as described in Section 1286 of the Fiscal Year 2019 National Defense Authorization Act, as amended,” the Pentagon said. “These include practices and behaviors that increase the likelihood that DOD-funded research and development efforts will be misappropriated to the detriment of national or economic security or be subject to violations of research integrity or foreign government interference.”

The listing of “these foreign entities underscores our commitment to ensuring the responsible use of federal research funding and safeguarding our critical technologies from exploitation or compromise,” said Shyu in releasing the memo.

The goal of the memo and policy is three-fold, Shyu said:

  • To ensure the security of DOD-funded fundamental research
  • To ensure that participants in sensitive research “fully disclose information that can reveal potential conflicts of interest and conflicts of commitment”
  • To provide “clear messaging” to those doing fundamental research about what constitutes “acceptable and encouraged behaviors” as well as activities “that may lead to challenges in securing DOD research funding.”  

Along with the suspect “foreign entities” list, the Pentagon posted a “Policy for Risk-Based Security Reviews of Fundamental Research,” which now requires that any basic research funded by the Defense Department “go through a review for potential conflicts of interest and conflicts of commitment rising from foreign influence.” The policy includes a template for DOD program managers to follow in awarding contracts for research, to help them spot “signs of potential foreign influence and appropriately mitigate risk.”

The Pentagon “encourages academic institutions, industry partners, and the public to review the list and exercise caution when engaging with entities listed,” Shyu said.

China and Russia have both engaged in long-term cyber espionage, stealing technology secrets from U.S. companies, and the new effort is aimed at thwarting similar efforts through colleges and universities.

Not all of the targeted institutions are focused solely on direct espionage. One, the “Confucius Institutes,” awards scholarships to students in a variety of academic fields and offers free Chinese language lessons, along with free trips to China to students with desirable knowledge. The Heritage Foundation described the Confucius Institute as a “Trojan Horse,” seeking to convince American students and professors that China is a benign actor and a potentially constructive partner in research, when actually, Heritage said, it is part of a “soft power” campaign to encourage research organizations to share sensitive knowledge with China.

The Confucius Institute has satellite locations on scores of U.S. university campuses, but the new guidelines say that from 2024 forward, no American college or university with a Confucius Institute presence can receive Pentagon research money without a detailed waiver.  

Other organizations on the list have lent or granted money to research organizations and universities, in exchange for access to the results of defense-oriented research.  

The Government Accountability Office identified the practices of these suspect entities in a 2020 report and urged the Pentagon to put policies in place that would protect U.S. research and researchers from hostile entities posing as scientific benefactors.

Shyu and her recent predecessors have pushed for greater Pentagon-academic partnerships to address technology challenges that could have commercial benefit to the U.S. economy, as well as military-only challenges that could make headway with funding or resources supplied by the DOD. Hypersonics testing capabilities are among those the Pentagon is setting up at academic institutions.   

The FBI has reported an uptick in recent years of Chinese and Russian research organizations attempting to recruit agents in the scientific community, or inducing them to sell or share their work, or research to which they have access.

Classified Information Regulations Need Improvement, DOD Finds

Classified Information Regulations Need Improvement, DOD Finds

After the Department of Defense conducted a 45-day review of its classified information programs, policies, and procedures, Secretary of Defense Lloyd J. Austin III said the “overwhelming majority” of DOD personnel with access to classified information are “trustworthy” in a memo released on July 5. However, the DOD still needs to improve how it handles classified information by clarifying its regulations, Austin wrote.

The review was ordered after Airman 1st Class Jack Teixeira, a Massachusetts Air National Guardsman, allegedly shared a trove of classified documents on the war in Ukraine, the Indo-Pacific and Middle East military theaters, and other sensitive subjects on an online group chat.

The review “identified areas where we can and must improve accountability measures to prevent the compromise of [Classified National Security Information], to include addressing insider threats.”

A senior defense official who requested anonymity told reporters on July 5 that the 45-day review did not delve into the specifics of Teixeira’s case, which is still being investigated. Instead, the review focused on “umbrella-level of department policies and procedures,” the official said.

The senior defense official said one of the most important findings was that the Department of Defense needs to establish a consistent way for low-level security managers to stay in touch with the Defense Counterintelligence and Security Agency and vice-versa. That kind of two-way dialogue is essential for continuous vetting, a process whereby the background of a cleared individual is regularly reviewed.

“As we’ve transitioned to continuous vetting, we need to get to that local area security manager and make sure they understand what is available to them, what information they can have on their personnel, how important that accountability relationship is,” the official said.

Beyond fostering a dialogue with DCSA, the Department of Defense also needs to clarify its standards for handling classified information, the official said. These standards, which vary between organizations and between different varieties of classified information, can be difficult to keep straight, the official said.

“As someone who’s read a lot of DOD policies, they are not the clearest documents always,” the official said. “I am not surprised that as they’ve layered on top of each other … and as this complex classified information environment has grown, that there’s a need to make sure that we are looking at them from a stand-back distance to make sure they’re understandable and that our workforce can use them to the best of their ability.”

Ambiguity can lead to inconsistency in how standards are applied. One example the official referred to is a requirement for top secret control officers, who are responsible for “receiving, dispatching and maintaining accountability of all Top Secret documents” according to Air Force regulations. The senior defense official said public-facing policy states that top secret control officers are optional, but other policies state that they are mandatory, which can cause confusion.

“Then if you get into what is a reportable offense and who you have to report it to … some of that is also confusing,” the official said. “If you’re a local level security manager managing a joint unit for example, who do you report it to, how do you do all of that?”

The official said clear regulations are especially needed to keep pace with a growing number of locations where classified materials are handled. Besides the large, highly-fortified facilities like the Pentagon and the Defense Intelligence Agency, there is a growing number of smaller facilities which require unique ways of keeping classified information secure, she said.

Instead of a single point of failure, the official said that multiple factors contribute to security incidents. The 45-day review provided a chance “to make sure that we looked at this as quickly as possible to make sure that we made the improvements that we could quickly” as the Teixeira investigation continues, the official said. That kind of self-assessment is in line with industry best practices for mitigating insider threats.

“If there were a perfect solution for this, I’d be out of a job,” Daniel Costa, technical manager of enterprise threat and vulnerability management at The National Insider Threat Center at Carnegie Mellon’s Software Engineering Institute, told Air & Space Forces Magazine in April.

“There’s an inherent risk that comes along with doing business,” he added. “What we’re talking about is human nature, and thinking about insider threats as an inherent risk to organizations requires real careful planning and organization-wide participation to reduce that risk to acceptable levels.”

Besides the 45-day military-wide review, the Department of the Air Force is conducting a review of its policies regarding classified information and an Inspector General review of security practices at Teixeira’s unit, the 102nd Intelligence Wing

In his June 30 memo, Austin also directed all Department of Defense component heads to take a range of steps meant to ensure that Department of Defense personnel are assigned to a Security Management Office; that military Sensitive Compartmented Information Facilities (SCIFs) comply with Intelligence Community Directive requirements; that all SCIFs and Special Access Program Facilities (SAPFs) are accounted for in a centralized tracking system; that personal or portable electronic device use is prohibited in those facilities; that Top Secret Control Officers are required for top secret information; and that a Joint Management Office for Insider Threat and Cyber Capabilities is established for monitoring threats and user activity across all military networks.

To enhance communication with the DSCA, Austin directed the undersecretary of defense for intelligence and security, Ronald S. Moultrie, to make a plan for analyzing training needs; examining or improving how to make continuous vetting information more readily available, and optimizing tools for sharing that information within the military. Many of the deadlines for taking these steps fall between July 31 and December 31 of this year.

Both Austin and the senior defense official expressed a desire to avoid overcorrecting by placing unnecessarily restrictive policies on information sharing as the military works out better practices for handling that information.

“The Department is mindful of the need to balance information security with [the] requirement to get the right information to the right people at the right time to enhance our national security,” according to a fact sheet on the security review provided to the media.

Air Force Tests New Drone Airspace Management System

Air Force Tests New Drone Airspace Management System

Deconflicting airspace was rarely a problem in the early days of Predator drones, but today the number and types of drones is rapidly expanding, with some that can be carried in backpacks and others that lift off vertically. That makes managing airspace a challenge.

Army Chief of Staff Gen. James C. McConville complained about the “industrial age” system for deconflicting crewed aircraft, drones, and surface-to-surface rockets during an exercise last winter. Air Force officials told Air & Space Forces Magazine soon after that the Army and Air Force were working to develop a better approach in the future.

Now the Air Force has a CLUE about what that future looks like: the Collaborative Low-Altitude UAS Integration Effort, a product of the Air Force Research Laboratory’s Information Directorate and AFWERX, AFRL’s innovation directorate. The new UAS Traffic Management (UTM) system was installed at Eglin Air Force Base, Fla.

“Airspace management will play a key role for the future of air mobility,” Darshan Divakaran, AFWERX’s head of airspace innovation and partnerships said in a June 29 news release.

Located at Eglin’s Duke Field, the UTM system seeks to prove that “current “air traffic management systems can ensure complete safety as drones and electric vertical takeoff and landing [eVTOL] aircraft take flight,” according to the Air Force.

Eglin’s 413th Flight Test Squadron is responsible for evaluating and testing the commercial CLUE system, AFWERX said. “The testing will focus on evaluating the UTMs’ capabilities for deconfliction, communication, and security, as well as low-altitude weather and beyond-visual-line-of-sight operations.”

Eglin is the primary proving ground, but testing also will take place elsewhere, AFWERX said. The Air Force is also working with Federal Aviation Administration, Department of Transportation, and NASA in seeking to maintain tracks on the small UASs at altitudes up to 12,000 feet .

Future testing at Eglin will involve a variety of UASs under 70 pounds, a size that will allow the drones to “fly more often and with fewer restrictions,” according to Maj. Riley Livermore of 413th Flight Test Squadron. The Air Force then hopes to start testing how electric vertical takeoff and landing aircraft, larger drones, and other aircraft can be operated together.

The CLUE system at Eglin has been used to “track two to three simulated uncrewed systems operating in their designated airspace along with live, manned air traffic,” said Brooke Ezell of AFWERX. “This provided a really helpful picture for how manned and uncrewed air traffic can coexist safely.”

Thousands of Airmen Spread Across Pacific in Massive Mobility Exercise

Thousands of Airmen Spread Across Pacific in Massive Mobility Exercise

The U.S. and its allies kicked off a massive air exercise, Mobility Guardian, on July 5 in the Indo-Pacific region. Run by Air Mobility Command, the highly anticipated exercise has been billed as one of the most critical Air Force drills of the year, with 3,000 personnel directly supporting the exercise and 70 aircraft participating. As the Department of Defense shifts its focus to the Indo-Pacific, logistics will be key to enabling the U.S. military to be ready to fight thousands of miles away from the continental U.S.

“This year’s MG23 reflects an evolution from the exercise’s previous three U.S.-based iterations and aims to understand and overcome distance to deliver the mobilization, deployment, and sustainment functions that the Joint Force, allies, and partners depend on to respond to challenges worldwide,” AMC said in a news release.

Participating allies include Australia, Canada, France, Japan, New Zealand, and the United Kingdom in a training event that spans 3,000 miles and runs non-stop until July 21.

The exercise “will turn planned integration into operational integration within the theater,” said Gen. Mike Minihan, the head of Air Mobility Command, in a statement. Mobility Air Forces, he added, would stretch “to meet future demands and protect shared international interests with our allies and partners.”

Preparations for Mobility Guardian have been underway for more than a year. The biennial exercise, first launched in 2017, had previously been limited to the continental U.S. The 2023 edition is the “largest full-spectrum readiness exercise in AMC, which dates back to 1992. The exercise will support 15,000 U.S. forces and serve as “cohesive glue” for Air Force drills throughout the Pacific, the command said.

To reach its operating locations for the exercise, a Royal Air Force A400 flew over 20 hours nonstop from the U.K. to Guam, a record sortie for A400. The RAF said its participation in the exercise marks a “strategic demonstration of the UK’s commitment to operate in the region.”

“AMC’s role in enabling the meaningful maneuver of forces throughout the theater underscores the necessity of logistics and realistic interoperability in the region,” the command said.

Airlift, aerial refueling, aeromedical evacuation, command and control, and humanitarian and disaster assistance missions will all be exercised over the coming weeks. Minihan, was previously deputy commander of U.S. Indo-Pacific Command, has been focused on preparing his Airmen for a possible fight with China—sometimes landing in hot water for bellicose language.

But Minihan’s command noted that Mobility Air Forces (MAF) are vital to any future U.S. military operations in the Pacific, which would require airlifting troops and supplies and tanker refueling to allow the Air Force and other services to operate over vast distances.

“This is a proving ground for the MAF’s new status quo tested through the application of flexible and agile concepts,” said Lt. Col. Jake Parker, Mobility Guardian exercise director.

Minihan previewed the exercise at AFA’s Warfare Symposium in March, making clear Mobility Guardian is intended to be a learning experience.

“Some things won’t go perfect,” he said then. “We’ll go back and we’ll work harder to get it and we’ll close gaps as quick as we can.”

Can Cargo Be Delivered ‘To, From, and Through’ Space? DOD Wants Ideas Soon.

Can Cargo Be Delivered ‘To, From, and Through’ Space? DOD Wants Ideas Soon.

Space is taking on more responsibilities for the U.S. military, from command and control to missile warning. Next on the agenda: cargo.

In a June 30 solicitation, the Defense Innovation Unit is seeking “novel commercial solutions that enable responsive and precise point-to-point delivery of cargo to, from, and through space.”

DIU was founded to adopt commercial technology and non-traditional suppliers by bypassing conventional acquisition processes.

“Rocket cargo” is already being explored by U.S. Transportation Command and the Air Force Research Laboratory, but those efforts are focused on point-to-point logistics for heavy payloads up to 100 tons. The aim is to support austere operating locations in the midst of future conflict with uncrewed space vehicles, eliminating the need for overflight rights or putting air or space crews at risk.

DIU is focused on smaller payloads, from tens to hundreds of kilograms. It aims to conduct proof-of-concept demonstrations of rockets to deliver cargo to objects to orbit, deliver cargo from one orbit to another, or use space to deliver cargo to a point on Earth.

“The ability to rapidly re-constitute space-based capabilities or re-supply payloads or cargo at precise locations for time-sensitive logistics (in-space or terrestrially) is a critical but presently non-existent capability,” the DIU said. “Sustaining isolated or remote platforms or teams of people affordably and at scale additionally requires evaluation of emerging technology solutions that potentially satisfy commercial, civil, and national security needs.”

The Space Force has a future concept of “tactically responsive space” which could use commercial space launch in a time of crisis. Like the Merchant Marine, which can be tasked to deliver materiel in a time of war and commercial cargo carriers, which TRANSCOM leveraged when moving cargo for Ukraine to Europe after Russia’s February 2022 invasion, space may also have rapid-fire needs. “There is a need to deliver and return payloads and cargo accurately, safely, and on demand” and it wants proposals that are viable even without demand from the DOD.

Following the model of the Space Development Agency, which is pursuing a rapid-acquisition strategy for satellites, DIU seeks a solution that could meet a “lead time, in hours or days, from order to launch and orbital insertion,” and that is “flight-ready” in 24 months. DIU asked for submissions by July 17, a scant two weeks, and expects responding companies to show elements of hardware within 90 days of contracting.

Tim Ryan, the Senior Resident Fellow for Space Studies at AFA’s Mitchell Institute for Aerospace Studies, said DIU’s premise makes clear the growing importance of space not just in the Space Force, but throughout the Department of Defense.

If successful, the concepts DIU hopes to demonstrate could expand to incorporate larger payloads and conduct “suborbital delivery of cargo,” both for military objectives and potentially to assist in disaster response in the future.

SPACECOM’s New Senior Enlisted Leader Puts Guardian in Key COCOM Role

SPACECOM’s New Senior Enlisted Leader Puts Guardian in Key COCOM Role

U.S. Space Command’s new senior enlisted leader will be a Guardian, the first ever picked to advise a combatant command. Chief Master Sgt. Jacob C. Simmons will succeed Marine Corps Master Gunnery Sgt. Scott H. Stalker, the Pentagon said in a June 26 announcement.

Simmons is currently the senior enlisted leader for Space Operations Command (SpOC) at Peterson Space Force Base, Colo. He took that role in 2022, following in the footsteps of Chief Master Sgt. John Bentivegna, who was recently tapped to become the next Chief Master Sergeant of the Space Force. Chief Master Sgt. of the Space Force Roger A. Towberman, the second-ever Guardian, was SPACECOM’s senior enlisted leader, as well as CMSSF, for four months, from April to August 2020, before turning the reigns over to Stalker.

“Space is ubiquitous,” Simmons said in comments at AFA’s Air, Space, & Cyber Conference in September 2022. “It is involved in every mission, it is involved in every capability, and it must be intertwined as such.”

Guardians must work closely with members of other services, he said, as he will now as the top enlisted member at U.S. Space Command.

“We have to be integrated,” Simmons said last year. “We have to be interoperable.”

Simmons was one of the five finalists to replace outgoing Towberman to become the second-ever senior non-commissioned officer in the service’s history.

Simmons “has served in leadership positions at squadron, group, wing, major command, and Air Staff, as well as joint and multi-national duties in United States Space Command, United States Southern Command, United States Strategic Command, and North American Aerospace Defense Command,” according to his official Space Force biography. Simmons first enlisted in the Air Force in 1992.

“I enlisted into the military because I wanted to do something that mattered; something I could be proud doing until I figured out which way was up for my life,” Simmons said in a 2018 interview.

Before becoming an Airmen and later a Guardian, Simmons came close to joining the Army, he said.

“Growing up at Fort Hood, Texas, I actually had every intention of joining the Army and would have been a Soldier had I not listened to a still small voice during one life-changing event,” Simmons said. “While getting set to sign my very final piece of Army enlistment paperwork at MEPs [Military Entrance Processing Station], an Airman walked by in service dress. I stopped just shy of the oath when I realized that in my eagerness to get ‘life’ started, I didn’t research all of my options. I owed myself that.”

That experience will likely serve Simmons well as the senior enlisted leader of SPACECOM where he will hear from the rank and file members of all services and advise the commander of U.S. Space Command, Army Gen. James H. Dickinson.

F-35 Production Challenged to Keep Up with Demand

F-35 Production Challenged to Keep Up with Demand

Javelins, HIMARS launchers, and artillery have dominated the discussion of armament production that has shifted into high gear since Russia’s February 2022 invasion of Ukraine. But increasing F-35 orders have also raised questions about the capacity of the industrial base to keep up with demand, which could outstrip the planned peak output of the Lockheed Martin-made stealth fighter.

Israel announced a fresh order for F-35s on July 2, saying it will buy an additional 25 aircraft on top of the 50 it has already purchased. The Czech Republic got the green light from the U.S. State Department last week to buy 24 F-35s, which will replace the Saab JAS-39C Gripen fighters the Czechs have been leasing. The Gripens will go back to Sweden in 2027, but neither industry nor U.S. government officials could say if Prague will have its first F-35s by then.

Since 2022, several European countries—Finland, Switzerland, Germany, and now the Czech Republic—have announced plans to order 159 F-35s, collectively amounting to more than a whole year’s worth of production under Lockheed Martin’s planned maximum annual production rate of 156 aircraft by 2025. That figure doesn’t include Poland, which ordered 32 of the fighters in 2020, or Greece, which has signaled it wants to buy 20-24 F-35s, but the formal application for which has not been completed. Countries already flying the F-35 in Europe include Belgium, Denmark, Italy, Norway, and the U.K., most of which are still taking deliveries. Some non-European customers such as Japan, South Korea, and Singapore have ordered additional aircraft to build their growing F-35 fleets, and Canada is moving toward a purchase of 88 aircraft. More buyers are expected to signal plans to acquire the fighter in the next year.

The ordered aircraft will be delivered across a staggered series of production slots with some countries filling out their fleets across a decade or more.

The F-35 is the only 5th-generation fighter in production and cleared for export, leaving customers that want to upgrade their 4th-generation fighters fleets with the choice of buying the F-35, buying a “4th- generation plus” fighter like the latest F-16 Block 70 models, or waiting for a future 6th-generation fighter to become available for export.

The U.S. military, meanwhile, has indicated it will stick close to its fiscal year 2024 plan of buying 83 F-35s—48 for the Air Force, 19 for the Navy and 16 for the Marine Corps—for a while. The Air Force plans to buy 48 a year until 2028, and beyond that, it is still planning to buy 980 F-35s in total, to reach its never-altered original goal of 1,763 of the fighters.

The U.S. military has allowed foreign customers to take some of its slots on the production line before, preferring to buy newer versions of the F-35 that have greater capability.

A rate of 156 could also be challenging because it’s a big step up from current production. The Lot 15, 16 and 17 contracts were for 145, 127 and 126 aircraft, respectively, the latter being an optional level dependent on new orders.

Counting all known customers and backlog, the U.S. military will buy about half of the F-35s produced annually under current plans with the rest going to foreign customers.

Foreign buyers tend not to disclose their plans about when they will field new-build fighters. Announcements of such sales usually only include the planned dates of initial deliveries.  

The Mitchell Institute for Aerospace Studies has urged the U.S. services and the Pentagon to increase production and F-35 industrial capacity, so the U.S. military and partner F-35 users don’t have to wait too long to fill out their fifth-generation fighter fleets. The Air Force originally planned to buy 110 F-35s a year. The figure was later reduced to 80, then 60, and in recent years to 48 or fewer aircraft a year.

Lockheed Martin has said that negotiations with the Joint Program Office for F-35 production lots 18 and 19 are well underway, but those lots seem to be predicated on a maximum rate of 156 aircraft. The next lot is expected to be the first after a declaration of full-rate production, clearing the way for multiyear contracts on Lot 20 and beyond. Pentagon and JPO officials have said that 156 is, effectively, full rate, although Lockheed has said that it could, with additional resources, push production above 220 aircraft per year.  

Air Force acquisition chief Andrew Hunter told the Senate Armed Services Committee in April that Lockheed would be “very stressed” to produce more than 156 aircraft annually. Producing more that would mean “we would probably have to increase tooling” and add more shifts of workers, which have been hard for Lockheed to hire, Hunter said. Lockheed has pegged some delivery delays to worker shortages at component and material supplier companies trying to recover from the COVID-19 pandemic.

Hunter also said the center body of the aircraft is another “significant limiter.” Northrop Grumman builds the center body of the F-35 at its Palmdale, Calif. facilities, where it also builds the new B-21 Raider bomber, and has said it lacks the room to expand there easily.

The program was initially counting on Turkey to produce a substantial number of the center body assemblies for the international market, but Turkey was drummed out of the F-35 program in 2019 as a consequence of Ankara opting to buy Russian S-400 air defense systems. The other F-35 partners ousted Turkey from the program because Russian tech representatives helping Turkey set up and use the S-400 would have gained crucial insights into tracking and targeting the F-35, a situation the partners and NATO considered unacceptable. Turkey said it pursued the deal because Western nations couldn’t make a competitive offer of their own air defense systems.

Lockheed has struck a deal with Rheinmetall of Germany to produce F-35 center fuselages, creating an industrial offset for Germany’s purchase of 35 of the fighters and creating a degree of organic maintenance capability, but the exact timing of production there is not certain.

The 1,000 F-35 should come off the assembly line at Lockheed’s Fort Worth, Texas facility next month. However, the company is storing new-build Air Force F-35s because they have been built with the Technology Refresh 3 upgrade, testing of which is not yet complete. The aircraft could be delivered later in the year or by early in 2024, with a “top-off” software add to take into account discoveries during testing. The TR-3 upgrade first appears on Lot 16 and 17 jets. The TR-3 underwrites the new weapons and electronic warfare capabilities that will be part of the F-35 Block 4 upgrade.

More F-35 orders are part of increasing weapons buys throughout the world. Now defense companies must try to meet the demand.

Building the Force We Need in the Pacific: SECAF Kendall Has the Right Vector 

Building the Force We Need in the Pacific: SECAF Kendall Has the Right Vector 

Secretary of the Air Force Frank Kendall has begun each of his eight Congressional budget posture hearings with a reference to Gen. Douglas MacArthur’s warning that almost all military failures can be summed up in the words “too late.”

Our Secretary of the Air Force is right on target. Gen. MacArthur spoke from a position well within range of enemy attacks. That perspective is too often absent in debates over weapons system development, which tend to be Washington-centric and politicized among Congressional, Pentagon, and industry participants.

Over the course of a decade, I was honored to serve in and lead U.S. Forces Japan, Gen. McArthur’s legacy headquarters and command, where our constant focus was being ready to respond to China threats. We had our eyes on China’s military build-up and on North Korea’s provocative activities.

Congressional and defense industry leadership occasionally visited our headquarters at Yokota Air Base, West of Tokyo, in the 2002-2005 timeframe, but rarely listened. We had little to no ability to influence joint warfighting requirements, including the need for timely, responsive upgrades to the offensive capabilities of our combat air forces, to air base defense, command and control systems, satellite early warning, or targeting of Chinese and North Korean surface-to-surface launch capabilities. Nor were we asked about the integration of electronic warfare and then-emerging cyber operations technologies. Like all joint warfighting commands, U.S. Forces Japan has zero contractual authority for weapons systems and no acquisition budget.  

During that period and the decades that followed, America’s national security leadership was actively engaged in another fight: trying to deter threats and promote stable, friendly governments in the Middle East. With attention focused elsewhere, the Chinese Communist Party was able to leverage economic growth and insights gained watching the U.S. military at work to accelerate its own military build-up. Today, the United States can no longer guarantee that America’s joint warfighters will be decisive in combat operations across U.S. Indo-Pacific Command’s area of operations, including protecting our allies and partners in Taiwan, Japan, and South Korea.  

While Congressional and Pentagon leaders emphasize support for American warfighters, the fact is that unified combatant commands and sub-unified commands like U.S. Forces Japan are limited in their ability and authority to influence joint warfighting requirements with their own threat-informed analysis. The Joint Requirements Oversight Council led by the Vice Chairman of the Joint Chiefs of Staff is dedicated to being the voice of the joint warfighter, but this organizational construct is neither optimized for speed or efficiency. Our long-established Congressional, military, and defense industry cultures put too many cooks in the kitchen. Acquisition staff too frequently lack combat and operational theater experience, and too often default to NO when they should instead try to understand new ideas.  

As Air Force Secretary, Kendall has brought a lifetime of experience, as a Soldier and as a policy maker, to the Department of the Air Force. His decades of experience, keen insight, and driven focus on operational effectiveness are making a real difference. By focusing strategically around seven core “Operational Imperatives” and three “Cross-cutting Operational Enablers,” Kendall has rallied his Air and Space Forces leaders around the key requirements that will transform his department’s operational effectiveness.  

Secretary Kendall knows the most important customers for new capabilities are our military operators, including the Service Chiefs whose long experience in operational theaters informs their understanding. Forging close partnerships between operational customers and acquisition professionals is crucial. It’s no accident that he called these imperatives, which are all focused on acquiring new capabilities, “operational.” From the moment he took office, Secretary Kendall has repeatedly called for accelerating the delivery of “meaningful operational capability to the warfighter.”  

When the Korean War began, communists in the North and their Russian and Chinese backers took advantage of American weakness—a small trip-wire force in South Korea, in particular—to force a war America never wanted. In Vietnam, a decade later, the United States was again drawn into a conflict for which we were unprepared. Having built a force to deter nuclear war, America was unprepared for the kind of fight Hanoi waged against our allies in the south.  

By the time we had the military capabilities to be decisive, the nation had lost its will to fight. “Too late,” as McArthur said.  

Now we face new dangers. The instigators are familiar, even if the means, methods, and conditions are less so. We must listen to the commanders in the field. No one understands the threat better. Pentagon leaders, Senate and House committee members, and the defense industry all must pay heed. They must do so before it once again is “too late.” 

Lt. Gen. Bruce Wright, USAF (Ret.), is the President & CEO of the Air & Space Forces Association. A 1973 graduate of the Air Force Academy, Wright is a U.S. Air Force Weapons School graduate, and was the J3/Director of Operations of U.S. Forces Japan; commander of the 35th Fighter Wing at Misawa Air Base Japan, and concluded his career as Commander of U.S. Forces Japan and 5th Air Force in 2008. He led F-16 combat missions from 1991-1994 in Iraq and Bosnia Herzegovina. Wright has also served in the defense industry with responsibility for classified programs.