GEORGETOWN: Four days after Defense Secretary Ash Carter launched the Pentagon’s new cyber strategy, experts and officials offered a grim picture of the global threat. The threat is metastasizing in ways that will require new kinds of defenses — even while many US companies and government agencies lag on basic cybersecurity measures.

“The Chinese in particular are cleaning us out” by exploiting well-known vulnerabilities it would be easy to patch, said Stephanie O’Sullivan, principal deputy to Director of National Intelligence James Clapper. Meanwhile, Russia remains the most sophisticated threat, she told a Georgetown University cyber conference, while Iran and North Korea are less capable but more “unpredictable and aggressive.”

But sophisticated, destructive cyber threats no longer come only from nation-states, a panel of experts warned just hours later. “The nation-states of the world…no longer have a monopoly on developing this APT [advanced persistent threat] phenomenon,” said Tom Kellermann, the chief cybersecurity officer at Trend Micro. “You’re seeing the true commoditization” of hacking tools, he said.

Terrorist groups like Hamas or the Islamic State might not have good enough hackers in-house, said Israeli cyber expert Rami Efrati, but “unfortunately they are able to go to the dark net, to the deep web, to get it as a service and to buy the most sophisticated zero-day attacks.” Indeed, there’s much speculation that North Korea hired Chinese hackers to conduct its attack on Sony.

“Cyber criminals are selling tools in a growing black market with little regard for what the customers might do with them,” O’Sullivan said. But the proliferation of easy-to-use exploits is mainly at the low end. “If there’s any good news,” she said, “it’s this: A great deal of what China, North Korea, Iran, and the vast majority of cyber-criminals and self-proclaimed hacktivists do isn’t very sophisticated. They largely target vulnerabilities that are easy to guard against or simple to fix. The bad news is most of us don’t do a good job guarding against these vulnerabilities.”

“The Chinese in particular are cleaning us out because we know we’re supposed to do these simple things and yet we don’t do them,” she said. We need to patch software “obsessively,” she went on, because currently “most Chinese cyber intrusions are through well known vulnerabilities that could be fixed with patches already developed.”

The problem with patches is the pace. Even if hackers didn’t know about a vulnerability long before the defenders did, they sure know about it once it’s publicly announced — and then the race is on to fix it before it can be exploited.

“Everybody knows when a big system is going to provide a patch,” said Lt. Gen. Mark Bowman, the Joint Staff’s director of command, control, communications, and computers (staff section J-6).

“You get notes from Adobe, ‘hey, we gotta patch this’; you get notes from Microsoft, ‘you gotta patch this’; so what makes us think that the bad guy’s not getting the same note?” Bowman told me at the recent C4ISR & Networks Conference. “They’re getting it and they know what the vulnerabilities are, so that just gives them that much more time to try to exploit that vulnerability.”

The Pentagon in particular struggles to ensure consistent patching across a disjointed maze of systems. Each was acquired separately by a different agency or office, each is managed by a different person, but all are directly or indirectly connected, so that a security breach in the weakest link potentially threatens all. That’s why the Defense Department is driving hard to standardize and centralize, folding scores of network fiefdoms into a unified Department of Defense Information Networks (DoDIN) architecture that’s easier to defend.

The Department is “building single security architecture that’s… more easily defendable…. to replace the hundreds of networks – separate networks – that we now operate,” Sec. Carter said in his Stanford University speech. “Just this week I directed that we consolidate all of our IT services in DoD and throughout the Washington capital region – consolidate all of them, which will not only help improve our overall cybersecurity, but also save millions of dollars we can better spend elsewhere.”

By consolidating networks and their defenses, Pentagon CIO Terry Halvorsen said at the C4ISR conference, “I get to eliminate about 1,300 firewalls.” Given chronic compatibility problems between the numerous petty networks, he said, those firewalls generally do more to interfere with legitimate users than to stop hackers.

We’re getting rid of all those extra firewalls,” Bowman told the C4ISR conference. “As the Joint Staff CIO, I’m required to have fire walls. I got ’em. Doesn’t mean I have to have them turned on.” Bowman’s turned off the firewalls specific to his networks, he said, and put that layer of security in the hands of the Pentagon’s Information Technology Agency.

Bowman wants to do more than just eliminate excess firewalls and consolidate separate networks, however. As a senior networks officer for the Joint Staff and, before that, the Army and US Central Command, he’s pushed to consolidate software and data from individual users’ computers onto the network. That’s called the “thin client” approach, where each individual user’s device has as little on it as possible and relies on the network to function.

But, I asked, doesn’t that leave you vulnerable to network outages? “I haven’t had a situation where that’s been the case,” Bowman replied. In a modern military organization, he added, if you’ve lost the network, you can’t function anyway. “Whether we want to admit it or not, the network is a warfighting system,” he told me. “If you don’t have a network, you ain’t transmitting any ISR [intelligence, surveillance, and reconnaissance]. If you don’t have a network, you’re not giving the ATO [air tasking order] to the guy flying the plane. The network is required for everything.”

And when it comes to defending that network, a thin-client model makes life much easier, Bowman said. With a traditional “thick client” approach, each user’s computer has its own copy of each program, so when a new vulnerability is discovered, each computer has to be patched and updated individually. That can take weeks or months, Bowman said, and you still might miss some stray device whose user simply wasn’t connecting it to the network during that time. With thin clients, by contrast, everybody is using the same copy of the software, the one resident on the network, which means you only have to apply each patch once. “Being able to patch immediately is huge,” he said.

Patching known vulnerabilities won’t keep out the most sophisticated hackers, of course. “Russia in particular has a broad range of highly sophisticated technical and human intelligence capabilities,” O’Sullivan said, “[going] beyond just taking advantage of common vulnerabilities that can be fixed with a simple patch. And in the event of military conflict or geopolitical crisis with Russia, some US critical infrastructure networks will be at risk.”

It’s not just the Russians, however. “In all of the significant breaches that we’ve seen over the last two years, the adversaries have been in those networks for months, completely undetected, which means they had unfettered access to everything that was occurring on that network,” Shawn Henry, a former FBI agent, said at the Georgetown conference. “We have…to try to prevent what we can prevent, but the reality is we’re not going to prevent it. The most sophisticated actors are going to get on your network. It might take them a few weeks, it might take them a few months, it might take them years in extreme cases, but they’re getting on.”

The key, Henry said, is not keeping them out but realizing that they’re in: “If you can detect them, you can mitigate them.”

The need to monitor your system for intrusions is another reason that the military is consolidating networks — and that Bowman advocates thin-client. The more different networks you have, each with its own settings, software, and administrators, the more inconsistencies you’ve built in, which makes it harder to detect those anomalies that arise from enemy activity. A single, standardized system is much easier to monitor — especially if it uses thin clients, so there’s little room for malware to hide on individual user’s machines.

“A lot of people say there’s no ROI [return on investment] on thin client,” Bowman told me. “Well, what value did you put on security?”