F-35, software dependency, ODIN, and mission data: what can Washington really control, and what room for maneuver remains for buyers?
In summary
The debate over the F-35’s alleged “kill switch” obscures the essential issue: the digital dependency of a weapons system designed as a software platform. Support is provided through ALIS and then ODIN, a maintenance and logistics chain that centralizes information on the aircraft’s status, parts, anomalies, and updates. The aircraft can fly without a constant connection, but availability and effectiveness deteriorate if patches, threat libraries, and mission data are no longer available. The real vulnerability lies less in a magic button than in a series of levers: cryptographic keys, mission files, access to reprogramming tools, supply chain, and industrial support. For buyers, sovereignty is at stake in contracts, network architecture, data protection, and local investment (inventory, workshops, skills). The F-35 offers unique interoperability, but it also requires accepting a degree of dependence.
The F-35, an aircraft whose power also comes from what cannot be seen
The F-35 is not just a stealth airframe, an engine, and sensors. It is a complete chain, where the aircraft, its test benches, maintenance tools, and updates form a coherent whole. Saying “I’m buying an F-35” is, in practice, tantamount to buying lasting access to an ecosystem. This is where the debate on digital sovereignty comes in.
This dependence is no accident. It is a logical consequence of a highly regulated multinational program and an architecture designed to evolve through software increments. The more powerful the aircraft becomes, the more it depends on intangible elements: threat libraries, data fusion algorithms, software versions, cyber patches, sensor settings, and theater-specific mission files.
This model offers real benefits. It allows for regular upgrades, standardization of practices, and rare interoperability between allied fleets. But it also introduces a structural software dependency: the buyer is never completely “in control,” even if they have political sovereignty over its use.
The ALIS and then ODIN systems, the backbone of support
The role of ALIS, then the transition to ODIN
For years, ALIS was at the heart of F-35 support: configuration tracking, parts management, maintenance planning, operations traceability, availability status, and, incidentally, technical data ingestion. ALIS has also been criticized for its complexity, cumbersomeness, and flaws, with thousands of anomalies reported over time. It has been gradually replaced by a modernized approach: ODIN.
ODIN is not just “new software.” It is an architectural shift, more cloud-oriented, more modular, and designed to reduce the load on squadrons. The associated hardware kits have been presented as significantly more compact and less expensive than older servers, reflecting a desire to shift some of the IT burden to centralized services.
The myth of “constant connectivity” and operational reality
The idea that an F-35 would become unusable “within days” without a permanent connection is too simplistic. An aircraft can fly without being continuously connected to a remote infrastructure. In deployment scenarios, forces know how to work in degraded mode, with workarounds and deferred entries.
However, the constraint lies elsewhere: the longer the degraded mode lasts, the more debt accumulates. Modern maintenance is data maintenance: it is necessary to track, record, synchronize, and requalify. Official communications and institutional exchanges have already mentioned temporary “offline” operating capabilities lasting several weeks, but this relies on manual monitoring practices and the acceptance of an increased risk of configuration errors. And in the world of air combat, a configuration error is not a minor detail: it is a factor in flight safety and availability.
In other words, the F-35 does not magically “shut down.” It erodes: first in availability, then in performance, and finally in sustainability if the outage is prolonged.
Mission data, the other often-forgotten dependency
Mission Data Files, a key to performance
One of the most sensitive levers is not maintenance, but the mission. The F-35 is designed to detect, classify, and prioritize threats. To do this, it relies on libraries and models that describe radars, surface-to-air systems, links, signatures, and emission behaviors. These packages are often grouped under the term Mission Data Files.
Without this tailored data, the aircraft can continue to fly, but it loses some of its added value: less accurate identification, less relevant alerts, less effective sensor fusion, and therefore slower tactical decision-making. In a conflict, it is precisely this “time saved” that counts.
Reprogramming laboratories, between cooperation and supervised autonomy
To reduce dependence, some countries have invested in reprogramming capabilities, often in cooperation with others. The most telling example is the existence of structures dedicated to the production, verification, and validation of mission data in an allied framework, with teams, “hardware-in-the-loop” testing resources, and synchronized update cycles.
This is a form of autonomy, but not total autonomy. This is because reprogramming operates within a technical and legal framework: certified tools, controlled environments, and strictly defined distribution perimeters. The buyer gains latitude for “sovereign missions,” but within an ecosystem where certain building blocks remain locked.
This is where the issue of mission codes becomes concrete. Power is not only in the aircraft. It is in the ability to quickly produce relevant data, test it, distribute it, and certify that it works in the current software version.
The “kill switch,” a false image that hides very real levers
The feasibility of remote shutdown, and why the hypothesis is fragile
The fantasy of the “kill switch” is popular because it is simple. It evokes a remote control that would instantly immobilize a foreign fleet. In practice, a generalized, discreet, and guaranteed remote shutdown of aircraft deployed in sovereign networks is difficult to achieve without leaving traces, without relying on connectivity, and without exposing a spectacular cyberattack… and therefore one that can be attributed.
Above all, a true universal “kill switch” would pose a systemic trust issue throughout the program. If partners believe that such a mechanism exists, they will demand costly concessions or reduce their purchases. This is a bad industrial calculation.
Credible, more gradual, and more political levers
Where the debate gets serious is on the less spectacular levers. Dependence does not come from a switch, but from a set of manageable dependencies… until the day they become critical.
First lever: the pace and access to updates (cyber patches, functional developments, compatibilities). Second lever: security keys and mechanisms, which condition access to certain functions, equipment authentication, or the distribution of sensitive data. Third lever: industrial support capacity, including the availability of parts, in-depth repairs, and certified skills.
This is not a “shutdown.” It is pressure. And this pressure can be exerted gradually, making it more politically plausible. This is where some people talk about right of review: not on every operational sortie, but on a country’s ability to sustain a high tempo without cooperation.
Digital sovereignty, a matter of data as much as missiles
The issue of data flows and operational confidentiality
The F-35 generates a mass of data: system statuses, logs, parameters, failures, trends. This data is valuable for improving the fleet and anticipating faults. It is also sensitive, as it describes usage profiles, availability rates, deployment modes, and sometimes signatures.
This is why some buyers are looking for architectures that limit what leaves their networks. This plays out at a very concrete level: segmentation, encryption, gateways, separation of classified domains, field filtering, and telemetry governance.
The difficulty is that improving the system relies precisely on the exploitation of this data. Locking down too much reduces the collective benefit. Opening up too much means accepting strategic exposure. In this dilemma, technology does not decide. Politics decides.
Dependence as the price of interoperability
The F-35 is often sold as an allied standard, particularly because it promotes coordination between forces and the pooling of procedures. It is a promise of NATO interoperability. But strong interoperability requires a common foundation: harmonized software, aligned update cycles, and shared validation methods.
The downside is obvious: the more common the standard, the more limited the scope for sovereign variation. The buyer is not a prisoner, but they are integrated. And in an integrated system, absolute freedom is incompatible with overall consistency.
The commercial consequences, between a powerful argument and a point of friction
The weight of the “platform” model in sales
Commercially, the ecosystem is a selling point: it guarantees continuous development, shared support, and a fleet-based approach. For a purchasing country, this can reduce national engineering costs, accelerate ramp-up, and offer long-term assurance, as the installed base is very large and the program is designed to last for decades.
Public figures give an idea of the scale: acquisition and support plans have been estimated at over $2 trillion over the life of the program, underscoring the industrial depth and interdependence between states and manufacturers. The higher the bill, the more continuity of support becomes a strategic issue, not just a contract.
Objections are becoming increasingly vocal
In Europe, debates have intensified as the issue of strategic autonomy has returned to the forefront. One concern keeps coming up: “What happens if political relations become strained?” This is not a theoretical question. It influences timelines, contract clauses, parts inventories, and the willingness to invest in local maintenance and reprogramming capabilities.
For Lockheed Martin, the answer is often to hammer home the point that the operating countries retain the ability to use the equipment and that the program is structured by agreements. But sophisticated buyers are not satisfied with slogans. They want verifiable operational guarantees: the ability to deploy, maintain, update, and exploit data without leaks.
This is where the idea of industrial lock-in comes in: even without hostile intent, an overly centralized system mechanically reduces a state’s options in the event of a crisis.
Possible countermeasures, with clear costs and limitations
Technical solutions, from filtering to domain separation
There are countermeasures, but none of them are free.
First approach: build sovereign gateways and network architectures that isolate sensitive data while allowing what is necessary for maintenance to circulate. This requires cross-domain solutions, strict classification policies, and continuous audits. Some European cybersecurity companies are positioning themselves precisely in this niche: enabling integration without exfiltration.
The second approach is to strengthen the national capacity to work in degraded mode. This means training, documenting, storing, and practicing. Storing parts, maintaining test benches, having certified skills, and accepting that resilience comes at the price of redundancy.
The third approach is to invest in the rapid production and validation of mission data, at least for national priorities. Again, this is a rare, costly skill that requires testing infrastructure.
Contractual and political levers, often more decisive than technology
Sovereignty is also played out on paper.
A buyer can negotiate clauses on the availability of certain tools, on delivery times for fixes, on continuity procedures in the event of a crisis, and on access rights to data generated by its fleet. They can also require minimum stock levels, maintenance capabilities within their territory, and skills transfers. All of this does not eliminate dependence, but it does reduce vulnerability.
However, we must be clear-eyed: full access to source code, or the ability to freely modify critical functions, is not usually on the table. This is as much a political limitation as it is a technological one. The realistic promise is not total independence. It is partial, organized, and funded strategic autonomy.
The unavoidable limitations that even the best contracts cannot eliminate
Even with countermeasures, certain issues remain structural.
The F-35 modernization cycle is global. The major software components evolve according to a common schedule. Certifications, validations, and compatibilities are designed for a global fleet. Deviating too far from the standard means cutting oneself off from the flow of improvements, thus losing the main advantage of the program.
In other words, the buyer has a choice. Either they accept integration and invest to reduce their risks, or they want maximum sovereignty and must therefore accept another model, often more national, more expensive in terms of engineering, and sometimes less efficient in the short term.
The question that will remain when the emotion subsides
The “kill switch” debate attracts attention because it is spectacular. But the serious question is more sober: who controls the operational continuity of an aircraft whose value depends on updates, mission data, and digitized logistics?
The United States does not need a secret switch to exert influence. The very structure of the program creates leverage points. In most cases, this is not a problem, because political alignment exists and because integration strengthens the collective. The risk arises when alignment cracks, or when a state finds itself dependent without having invested in its resilience.
The right response is therefore neither paranoia nor blindness. It is lucidity: buying the F-35 means buying air power, but also data governance. And in this area, sovereignty is not proclaimed. It is conceived, quantified, and tested in real conditions.
Sources
- U.S. Government Accountability Office (GAO) – F-35 Joint Strike Fighter: Actions Needed to Address Late Deliveries and Improve Future Development (GAO-25-107632, Sept. 2025)
- GAO – Designing the F-35’s Central Logistics System (GAO-20-316, 2020)
- GAO – The F-35: ALIS in the Looking-Glass (blog, March 16, 2020)
- Congressional Research Service – F-35 Lightning II: Background and Issues for Congress (R48304, 2024)
- U.S. Joint Strike Fighter Program (JPO) – ALIS/ODIN Program Page (jsf.mil)
- U.S. Air Force (Edwards AFB) – Initial Deployment of ODIN Equipment / ODIN Base Kit (Feb. 1, 2022)
- Defense News – Could Connectivity Failure Ground F-35? It’s Complicated (Apr. 27, 2016)
- FlightGlobal – F-35 ALIS open deficiencies grow to 4,700 over two years (March 17, 2020)
- UK National Audit Office (NAO) – The UK’s F-35 capability (July 11, 2025)
- Reuters – U.S. to withhold F-35 fighter software code (Nov. 24, 2009)
- USNI News – Foreign F-35 Partners Allowed More Freedom to Customize Fighter Software (Nov. 4, 2014)
- F-35.com – Allies Strengthen F-35 Mission Data Partnership (April 24, 2024)
- Euronews – Can the US turn off European weapons? Experts weigh in on “kill switch” fears (March 13, 2025)
War Wings Daily is an independant magazine.