WASHINGTON - Federal CIOs, who consistently list cybersecurity as one of their top concerns, aren't likely to sleep any better after listening to Dave Aucsmith.
Aucsmith, senior director of Microsoft's Institute for Advanced Technology in Governments, offered a sobering assessment of the current state of play in information security Tuesday at a conference for federal IT professionals hosted by the software giant.
"I do not believe you can create secure computer systems," Aucsmith says. "So where does that leave you? Systems have to adapt and change in the presence of your adversaries, and you have to understand your adversary in order to adapt and change those systems."
Aucsmith offered his remarks at a time when security workers have been witnessing what he calls "the professionalization of our adversaries," citing recent high-profile breaches that have hit the banking sector and retailers such as Target and Neiman Marcus.
Aucsmith emphasizes the dynamic nature of the modern threat landscape, where hackers are growing ever more sophisticated and seeking new vulnerabilities to exploit. That creates a familiar point-counterpoint, with adversaries scrambling to keep ahead of their targets' latest advances.
"I have a classic arms race. And the one thing history has taught us about arms races is that nothing static ever remains secure," he says.
Federal Cybersecurity 'Unending Mission' These Days
A similar message comes from Tom Ridge, the former governor of Pennsylvania who went on to serve as the first secretary of homeland security. Ridge, who now heads the consulting firm Ridge Global, calls federal cybersecurity in the 21st century "an unending mission."
"The attack surface has changed. It's much broader and it's much wider," Ridge says. "Hackers today are better organized, certainly better financed and outcome-driven."
The fluid nature of the threats demands adaptive computing systems that can nimbly respond to new warnings or attacks, according to Aucsmith. It also underscores the importance of continuous monitoring and, to the extent possible, sharing information across the public and private sectors about new and emerging threats.
"What you might be able to do is recognize that attack the first time it occurs somewhere on the planet and respond accordingly," he says. "If you can move fast enough then, in essence, [hackers] only get one free shot."
Aucsmith also counsels the federal IT community to do a better job in handling more basic aspects of what might be called computer hygiene in the face of fast-moving adversaries. Government agencies, generally, are slow to install security patches and often run outdated versions of software, he says.
Since Nothing's 100 Percent Safe, Adaptability Matters
Of course, there's no set of cybersecurity best practices that will keep the hackers at bay. Aucsmith emphasizes that even the best-designed systems exhibit unintended behaviors. Any vendor claiming to deliver a product built 100 percent to spec is, quite simply, lying.
Sign up for Computerworld eNewsletters.