Fixing the Pentagon’s Windows XP Problem

Defense Secretary Ashton Carter just announced plans for the Defense Department to collaborate with NATO allies to better protect critical infrastructure in cyberspace.

You’d be forgiven if you missed it. The big news out of his press conference on Tuesday in Estonia was how the Pentagon will ship a brigade’s worth of Abrams tanks, Bradley fighting vehicles and Paladin howitzers, among other equipment, to Eastern Europe in response to Russia’s recent military activity in the region.

But Carter also mentioned the rising threats in cyberspace.

“We must also prepare NATO and our allies for cyber challenges, particularly from Russia,” he said. “That’s why today, I visited NATO’s Cooperative Cyber Defense Center of Excellence, and I’m pleased to announce a new American initiative to bolster the center’s role in leading our partners towards improved cyber defense.”

It sounds like a worthy effort. After all, the Pentagon plans to work with NATO to develop cyber defense strategies, critical infrastructure protection plans and cyber defense posture assessments (whatever those are).

Even so, it’s also important to remember that for all the lofty emphasis the Defense Department it placing these days on various cybersecurity initiatives — it still faces the very practical problem of relying on aging software.

Case in point: The Navy recently signed a potentially $31 million contract with Microsoft Corp. so it can keep using the Windows XP operating system. Yes, that Windows XP — the one that shipped on your desktop PC more than a decade ago.

Here’s the top of the contract announcement:

Microsoft Corp., Redmond, Washington, is being awarded a $9,149,000 firm-fixed-price modification to a previously awarded contract (N00039-14-C-0101) for Microsoft Premier Support services and Microsoft Custom Support services for Windows XP, Office 2003, Exchange 2003 and Server 2003. Microsoft Premier Support services and Microsoft Custom Support services are required to provide critical software hotfixes to sustain deployed capabilities.

Windows XP came out in 2001 and has since been succeeded by Windows Vista, Windows 7 and Windows 8. Microsoft last year stopped providing free support and security updates to the software. Hence, the reason for the company’s contract with the Navy: The service still has some 100,000 workstations that run the aging operating system.

As Steven Davis, a spokesman for the Space and Naval Warfare Systems Command in San Diego, told Martyn Williams of the IDG News Service:

“The Navy relies on a number of legacy applications and programs that are reliant on legacy Windows products. Until those applications and programs are modernized or phased out, this continuity of services is required to maintain operational effectiveness.”

The article also references a Navy report that states the Microsoft applications affect key command and control systems on ships and land-based legacy systems, including those tied to the Pentagon’s non-classified and classified networks — the so-called Nonsecure Internet Protocol Router Network, or NIPRNet, and the Secure Internet Protocol Router Network, or SIPRNet:

“Without this continued support, vulnerabilities to these systems will be discovered, with no patches to protect the systems. The resulting deterioration will make the U.S. Navy more susceptible to intrusion … and could lead to loss of data integrity, network performance and the inability to meet mission readiness of critical networks.”

While unglamorous, the work of updating operating systems to better defend networks against hackers, foreign or domestic, should probably take higher priority than launching new centers of excellence or other nice-sounding cyber units.

About the Author

Brendan McGarry
Brendan McGarry is the managing editor of Military.com. He can be reached at brendan.mcgarry@military.com. Follow him on Twitter at @Brendan_McGarry.
  • jack

    Here’s an idea. Stop using Windows. That solves 90% of ur security problems.

    • blight_asdf

      Even linux will get hurt. Small things like Heartbleed (a defect in OpenSSL) have huge cross-platform implications.

      • t1oracle

        It was patched in 6 days. Furthermore, since it’s open source you can review the code. So if they want to be secure they need to use Linux and hire their own engineers to review the code. They can even make a custom distribution just for military use.

        • blight_asdf

          Which is the joy of open source. Or roll back openSSL to pre-heartbleed.

          Windows and OS X are moving targets. They are closed source under the illusion that closed source provides more security.

        • Menzie

          All this takes $$. Where to scrape it from? Tanks, Subs, Ships? No Education or Healthcare or Social Security.

    • macman1138

      Amen. Much of the US government has been running the Mac platform for a decade or so already.

    • ldajnowski

      Agreed.

  • blight_asdf

    Also, it’s stupid to keep using windows xp. Test compatibility mode for legacy programs in Win7, etc. If app works->can winXP.

    I find it hard to believe that “the warfighter” will be affected by a windows XP program…and if anything it’s the vendors responsibility to update their program, or be ditched by the DoD.

  • John

    This has to be a joke windows xd still?

    • bbabbitt

      The joke is Microsoft Windows still!

  • macman1138

    Time for them to upgrade to Mac OS X.

  • ldajnowski

    What bullshit; legacy apps that have to have XP as the OS. We have never had a problem running applications used with XP on Windows 7. Even if the vendor contractor needs to make a small code tweak the app will run on XP. This is the most ridiculous excuse for continuing XP we have ever heard; and now the cost for doing so with MS custom developers supporting XP for the U.S. Navy, etc will overrun the cost of migration to another OS. The Feds want our tax money and jail or fine us if we don’t pay so they can throw away billions for bullshit excuses. We are the laughing stock of China and other countries even more so now!

  • Mike Zimmer

    Pentagon has at least Win 7 for 2 years now. OSD might only have XP. Title to article says Pentagon but the article only talks about DON and Carter! Wow that was a stretch!

  • Nathan kreuzman

    It’s really sad how our military is using such outdated software. How about focusing more infrastructural upgrades….how about Linux instead. More over, why not build an operating system. Specified for the military. Would be a lot more secure, compared to a 14 year old product.

  • guest

    They should upgrade to Vista. LOL!

  • Ninh Pham, PhDCJ

    The rapid increase of electronic technology each day, the newer operation system requires the computers with more memory and faster CPU to operate them; thus, the older computers cannot be able to handle new OS and larger tasks with a lack of memory and slow CPU. The motherboard in the older computer has maximum amount of memory which computer can be upgrade. It costs tremendous amount of money in order to replace all existing older computers. Therefore, the navy still use window XP as a base for their computer and network operations. To secure these computer from vulnerability, the needs to window updates are necessary for cybersecurity in cyberspace. In order to keep these older computers and servers running effectively, the continue update operating system is necessary when Microsoft end to support window XP base. Besides, most of military computers and network operations are travel through civilian operation networks, and also depend on them for maintenance, function and operate.

  • kgkphd

    Hate to say it, but if you’re knocking XP, you’re knocking the best system Microsoft has put out in YEARS. Vista was a TOTAL disaster — the worst thing they put out since Millennium. Millennium lasted something like 90 days on the market. Windows 7 and 8 are nothing more than platforms for Windows to sell games and other apps. I understand the need to upgrade security on our systems and some people think it will be much harder to do that with XP. All I know, is that I trashed Vista ASAP and that I have had more security problems with Windows 7 and 8 than I ever had with XP, despite being armed with a small fortune in security programs, which are replaced and modified periodically. This week alone, I got hit with a bug that wiped out several of my security systems and deleted my entire Office suite. XP may be slower, but as far as I am concerned, it is easier to protect, simpler to use, and harder to pull up games on.

  • kgkphd

    Oh, yeah! I forgot. Anybody for COBOL?

  • Tom

    If you have ever worked in I.T, upgrading machines from XP to Win7 is not as easy as most people will think. I work for a hospital, 3,000 machines and we did something similar. And no we’re not incompetent but it took us almost a year to sift through the upgrade. So many software, so many point of failures. Even then we still have a few stragglers we have to keep because so-so software that they must have will not work with Win7. There is an upgrade for the software but it will cost this and that much. Anyways, 100,000 devices? good luck with that. The computers will start dying off first before they get upgraded. Again, not as easy in a corporate environment.

  • guest

    Billions on weapons and $0 dollars for support and computer security, upgrades and maintenance.

  • tcement

    XP works. It’s better than Vista and 8 and no worse than 7. If DOD is picking up tab for continued maintenance, why can’t the rest of us piggyback on this Federal largesse? I’ve tried all of the above along with various flavors of {ugh} Linux and Mac OS. I like XP. Go ahead, start your abuse engines.

  • Bronco46

    There’s a way around all of this. Move to OS X!

  • Bill326

    Windows XP, seriously! No wonder we have cyber security problems. Just plain stupid!

  • Patriot on a String

    First this is an example of not enforcing existing contracts and one hand not knowing what the other hand is doing. When software was contracted for development such as for ship board systems (station to station) and for system controls, those contracts were worded to include patches and upgrades at a contracted rate for 15, 20, or specified years… I am talking about these Apps.. These are softwares that can be for gun turret control firing etc.. As prototype systems are being developed by contractors for upgrades or even upgrades made by another service these contractors are doing upgrades and software OS patches…. But, the contractors are not informing other services using the same systems, instead playing stupid and wanting to charge more money to create what already exists.. Those people that mention Linux or Mac apparently have no ‘Hack’ experience and fail to realize that the Federal Government paid for and sponsored the development of Microsoft & Apple from day one… That same Government paid for the biggest Propoganda Marketing Misinformation Campaign in History supporting that Apple and predecessor code use for offshoot OS systems is the most secure of all OS… First of all IBM is still the most Secure in OS development and remember and used by the Federal Government and Major Corporations with Microsoft as access point emulation.. Not a system one is totally secure!!! I could go on but again it’s a waste of time to give a college course here to re-educate college graduates of Professors of IT that were never employed by the Government or worked secure projects exploiting the Apple or Mac systems employed by our enemies because of the intention misinformation that now has our own citizens fooled.. Again, waste, waste waste…. Example Northrop Grumman has Windows 7/8 software in its inventory developed for the same system paid for by one service telling another service it’s too costly to develop…. Our military is too contractor dependent and does not have a centralized IT development or control to catch these crooked contractors.. Another issue is some hardware for these systems were physically fixed/built to the stations because the contracts when put out for development bid did not require modularality to swap out whole systems and other requirements for hardware such as made is USA (keep Chinese chips with root kits etc pre-installed) or EMP proof also make a difference…. Conclusion, not enough control and too much confusion intentionally and politically caused by congress to allow Contractors to steal tax payer dollars.. Patching and upgrading Windows XP is the cheaper choice and cuts these multiple other contractors out… And is the fastest way to keep our military functional and alert!!!

    • blight_asdf

      I think it’s interesting you call them “Apple or Mac”, when Apple refers to the company and Macintosh/Mac refers to their contemporary personal computing lineup.

      There was a perception of security for Apple products only because it was a niche product for a long time, and also on PPC instead of x86. The switch to x86 and a FreeBSD-base for OSX simply brought Apple into alignment with the rest of the world in computing. And Apple’s popularity with the masses then made them the biggest target in the room.

      Considering the frequency of zero-day discoveries against all operating systems, nothing is safe. But if you don’t pay for vendor support you’ll never realize how thoroughly exploited you are. I almost wonder if MS did this to cut off hotfixes to enemy countries that use crappy bootlegged XP…

  • blight_asdfljsadf

    From a CBS12 article: http://cbs12.com/news/top-stories/stories/navy-pa…

    “Though Microsoft’s support for Windows XP ended in April 2014, the Navy didn’t issue its decision to upgrade its computers until Vice Admiral Ted Branch, deputy chief information officer for the Navy issued an agency-wide memo on July 2014. In the memo, Branch required all of its PCs to be upgraded to Windows XP by April 30, 2015 — or apply for a waiver for computers and systems that couldn’t be updated by then.

    Davis said that all of the computers ashore have since been upgraded to a newer version of Windows. But the significant number of systems afloat, including ships, submarines and other vessels, have not yet been upgraded.”

  • Scott_D_Bailey

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~SAD~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Bronco46

    Interestingly enough an article on this subject came out on another site. Like myself it laments the fact that the government has resisted moving to the Mac OS. http://www.macobserver.com/tmo/article/the-depres…