Frank Konkel | Nextgov | April 20, 2017 | 0 Comments

A Bug Bounty to Hack Military Bases? It Could Happen.


The Hack the Pentagon bug bounty program that allowed citizens to test the defenses of Defense Department websites could soon see a spinoff inviting hackers to probe the Pentagon’s critical infrastructure.

Building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors often run on operating systems unsupported by vendors. Even as the Pentagon pushes to upgrade its information systems to Windows 10 by this year, its critical infrastructure remains woefully behind.

“About 75 percent of the devices that are control systems are on Windows XP or other nonsupported operating systems,” said Daryl Haegley, program manager for the Office of the Assistant Secretary of Defense for Energy, Installations and Environment.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Haegley, speaking Thursday at an event hosted by OSIsoft, said the assessment was based on visits to 15 military sites. Microsoft stopped providing support for Windows XP in 2014. Haegley, however, said some of the systems that run DOD facilities are far older.

“A lot of these systems are still Windows 95 or 98, and that’s OK—if they’re not connected to the internet,” Haegley added.

Increasingly, though, sensors in these kinds of systems do connect to the internet, or at least newer components of them do. Famously, the Target data breach wasn’t a hack of Target itself, but rather information stolen from an HVAC vendor that worked at its stores. Often, there’s not one person in charge of ensuring these systems are protected, Haegley said.

While DOD is reacting to the threat—a November memo assigns some security responsibilities to DOD’s critical infrastructure—Haegley said he’d like to see a Hack the Pentagon for its critical infrastructure. DOD’s bug bounty program revealed 138 previously undisclosed vulnerabilities and cost about $150,000.

Haegley said he’s seeking senior staff buy-in on the idea. In such an effort, vulnerabilities at one building site would likely help DOD shore up facilities elsewhere.  

“The best and brightest could help us get through that,” Haegley said.


Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.