July 24, 2015:
Despite the fact that the U.S. Department of Defense is the biggest customer for major software publishers (like Microsoft) some parts of the military refuse to heed advice to upgrade their key software. As a result the U.S. Navy recently revealed that it has to pay as much as $30 million to get security patches for 100,000 older PCs still running Windows XP. This fifteen year old operating system (and nearly as old software like Office 2003, Exchange 2003 and Windows Server 2003) are still used by the navy despite the fact that Microsoft gave years of warnings that because of the age and vulnerability of this software, it was going to stop supply critical security patches unless users paid for it. Even then the security would not be as good as it is for more recent versions of all those programs. The navy has several reasons for not upgrading these older PCs. This involves the difficulty of getting software upgraded and some equipment redesigned to allow for installation of new hardware (needed to handle the more powerful operating systems). There are also problems with political and bureaucratic interference with upgrades. So it should be no surprise that this happens. Note that many commercial firms are still using XP, often for similar reasons.
Meanwhile the major software publishers offer special deals to major customers and the Department of Defense often takes advantage of these. For example in 2012 the Department of Defense made a deal with Microsoft to obtain Microsoft products (operating systems and apps) for some two million military users (mostly in the army and air force) for about $100 a year (for three years) per user. This is a typical software licensing deal for large organizations (usually corporations). The Department of Defense can also get special modifications to software they buy in large quantities. In the future the military will be spending more attention, and cash, on smaller computers, but for now the military is using more of both the larger and handheld computers.
While users (including military) are shifting to smart phones for many of their computer needs, the desktop and laptop PCs are still doing most of the work in the military. At the beginning of the 21st century the operating system of choice was Microsoft Windows (over 90 percent market share). But now, when you include smart phones and tablets, Windows is on only 14 percent of small computers (desktop, laptop, tablet, smart phone) compared to 48 percent for Android, 11 percent for Apple IOS devices and 26 percent for other. This is a trend that really got going in the last decade as the tablet and smart phone became available. Hackers and Internet based crime is also shifting from Windows to Android and IOS devices. The military is working hard on providing better security for these handheld computers but still faces its greatest vulnerability on Windows systems.
In the past the U.S. Department of Defense often created custom versions of Windows and installed their own automated security features and automatic software updating systems. The reason for all this is that the Department of Defense cannot attract a sufficient number of qualified security experts. The military has to compete with the commercial sector for these scarce security personnel, and with the shortage of such people, government pay and benefits cannot compete. But the government does have other resources, which make it possible to develop custom automated security systems.
For example, the NSA (National Security Agency) worked with Microsoft on security aspects of the Windows 7 operating system and later for Windows 8 and 10. This was nothing new. Earlier, NSA worked with the U.S. Air Force and Microsoft to develop a special version of Windows XP, one that had over 600 operating system settings shut down or modified so that hackers had a harder time penetrating air force network security. Some of it was simple stuff, like ensuring that the highest level password (the admin password, which gives you access to everything) can never be the same as a lower level (user) password. The system was also modified to have passwords expire every sixty days, forcing users to create new ones.
The military has another advantage in that they can impose more discipline on how their personnel use their PCs and networks. This makes it easier to build in additional security features and regularly update those items. The big weakness the Department of Defense networks have is their exposure to the Internet, which is awash in hackers and malware (software that will infiltrate PCs and steal or destroy your data). One solution to that has been the establishment of two large networks that use Internet software but are closed to civilian users. NIPRNET (Non-classified Internet Protocol Router Network) is the military network connected to the internet and has over three million servers. Although unclassified, NIPRNET contains a lot of logistics (supplies, including requests for stuff) and personnel matters (addresses, phone numbers, and even credit card numbers). Separate from NIPRNET is SIPRNET (Secure Internet Protocol Router Network). This net is not connected to the Internet and encrypts its data. This network is rarely attacked and penetrations are few, if any (all discussion of SIPRNET attacks are classified).
The Department of Defense imposed similar controls and security features on their new smartphone operating system (an NSA tweaked version of Android). But the major security vulnerability remains the leadership and the need for many commanders and civilian executives in the Department of Defense to order that upgrades be performed. The Department of Defense is being urged to adopt a system where security and other upgrades are automatically “pushed” (installed without intervention by local users or commanders). There is a lot of resistance to this as many commanders and civilian managers don’t want to surrender any control.