The Pentagon’s Bug Bounty Program Should Be Expanded to Bases, DOD Official Says

Airman Kai White/U.S. Air Force

AA Font size + Print

The ‘best and brightest’ hackers could accelerate the search for vulnerabilities across some of the Defense Department’s broader critical infrastructure.

The Hack the Pentagon bug bounty program that allowed citizens to test the defenses of Defense Department websites could soon see a spinoff inviting hackers to probe the Pentagon’s critical infrastructure.

Building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors often run on operating systems unsupported by vendors. Even as the Pentagon pushes to upgrade its information systems to Windows 10 by this year, its critical infrastructure remains woefully behind.

“About 75 percent of the devices that are control systems are on Windows XP or other nonsupported operating systems,” said Daryl Haegley, program manager for the Office of the Assistant Secretary of Defense for Energy, Installations and Environment.

Haegley, speaking Thursday at an event hosted by OSIsoft, said the assessment was based on visits to 15 military sites. Microsoft stopped providing support for Windows XP in 2014. Haegley, however, said some of the systems that run DOD facilities are far older.

“A lot of these systems are still Windows 95 or 98, and that’s OK—if they’re not connected to the internet,” Haegley added.

Increasingly, though, sensors in these kinds of systems do connect to the internet, or at least newer components of them do. Famously, the Target data breach wasn’t a hack of Target itself, but rather information stolen from an HVAC vendor that worked at its stores. Often, there’s not one person in charge of ensuring these systems are protected, Haegley said.

While DOD is reacting to the threat—a November memo assigns some security responsibilities to DOD’s critical infrastructure—Haegley said he’d like to see a Hack the Pentagon for its critical infrastructure. DOD’s bug bounty program revealed 138 previously undisclosed vulnerabilities and cost about $150,000.

Haegley said he’s seeking senior staff buy-in on the idea. In such an effort, vulnerabilities at one building site would likely help DOD shore up facilities elsewhere.  

“The best and brightest could help us get through that,” Haegley said.

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Top 5 Findings: Security of Internet of Things To Be Mission-Critical

    As federal agencies increasingly leverage these capabilities, government security stakeholders now must manage and secure a growing number of devices, including those being used remotely at the “edge” of networks in a variety of locations. With such security concerns in mind, Government Business Council undertook an indepth research study of federal government leaders in January 2017. Here are five of the key takeaways below which, taken together, paint a portrait of a government that is increasingly cognizant and concerned for the future security of IoT.

  • Coordinating Incident Response on Posts, Camps and Stations

    Effective incident response on posts, camps, and stations is an increasingly complex challenge. An effective response calls for seamless conversations between multiple stakeholders on the base and beyond its borders with civilian law enforcement and emergency services personnel. This whitepaper discusses what a modern dispatch solution looks like -- one that brings together diverse channels and media, simplifies the dispatch environment and addresses technical integration challenges to ensure next generation safety and response on Department of Defense posts, camps and stations.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation


When you download a report, your information may be shared with the underwriters of that document.