In any sophisticated modern system, the areas where the product deviates from its intended functions are typically where the vulnerabilities will be found. Because those weak spots are unforeseen, though, it's impossible to defend them against targeted threats thoroughly and preemptively.
"This is the equivalent of asking yourself, 'What is it that I do not know?' That is a very difficult question to answer," Aucsmith says, arguing that adaptability is an essential feature to enable systems to cope with attacks on unanticipated threat vectors.
"We are building systems that are far more complex than our ability to completely understand their behaviors," Aucsmith says. "So in essence ... I have a highly complex system whose complete behavior is not knowable, and I now place it in front of a dedicated adversary. That is a guarantee that the system will be breached. So rather than fool ourselves that we can produce systems that can never be successfully breached, we have to rethink what we do.
Concludes Aucsmith: "This is not an argument, by the way, that we shouldn't do the absolute best that we can to build systems. Rather it's an argument that that is by and in and of itself insufficient."
Sign up for Computerworld eNewsletters.