A Bug Bounty to Hack Military Bases? It Could Happen.


A Defense Department official wants to find the vulnerabilities hidden in critical infrastructure.

The Hack the Pentagon bug bounty program that allowed citizens to test the defenses of Defense Department websites could soon see a spinoff inviting hackers to probe the Pentagon’s critical infrastructure.

Building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors often run on operating systems unsupported by vendors. Even as the Pentagon pushes to upgrade its information systems to Windows 10 by this year, its critical infrastructure remains woefully behind.

“About 75 percent of the devices that are control systems are on Windows XP or other nonsupported operating systems,” said Daryl Haegley, program manager for the Office of the Assistant Secretary of Defense for Energy, Installations and Environment.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Haegley, speaking Thursday at an event hosted by OSIsoft, said the assessment was based on visits to 15 military sites. Microsoft stopped providing support for Windows XP in 2014. Haegley, however, said some of the systems that run DOD facilities are far older.

“A lot of these systems are still Windows 95 or 98, and that’s OK—if they’re not connected to the internet,” Haegley added.

Increasingly, though, sensors in these kinds of systems do connect to the internet, or at least newer components of them do. Famously, the Target data breach wasn’t a hack of Target itself, but rather information stolen from an HVAC vendor that worked at its stores. Often, there’s not one person in charge of ensuring these systems are protected, Haegley said.

While DOD is reacting to the threat—a November memo assigns some security responsibilities to DOD’s critical infrastructure—Haegley said he’d like to see a Hack the Pentagon for its critical infrastructure. DOD’s bug bounty program revealed 138 previously undisclosed vulnerabilities and cost about $150,000.

Haegley said he’s seeking senior staff buy-in on the idea. In such an effort, vulnerabilities at one building site would likely help DOD shore up facilities elsewhere.  

“The best and brightest could help us get through that,” Haegley said.