"I believe it is fundamentally impossible to stop an attack for which you have never, ever conceived of," Aucsmith says.
"I think the best we can hope for is that the systems we build are as good as they can be, and as they sit there and do their job, and we learn more about our adversaries' behavior, we constantly change and update that. We maneuver the system so that it remains immune to further attacks," he adds.
"So in essence, I don't think I can stop the very first attack of a kind I've never considered, but I believe it may be in my power to find that first attack very quickly and then make everything else immune so that I change the economics of cyber attacks and make it economically infeasible to spend a lot of effort trying to find those vulnerabilities," Aucsmith says.
The challenges of cyber defense are of course amplified by the growing number and variety of attacks and attackers. Aucsmith describes the threats as generally falling into the categories of criminal activity, espionage and warfare, with the last existing still more in theory than practice.
"We see very, very little warfare, fortunately," he says, allowing that Russia's cyber attacks against Estonia and Georgia in 2007 and 2008, respectively, and the Stuxnet assault on Iran's nuclear program, count as possible exceptions.
Hackers More Dangerous When Backed By Foreign Governments
Accepting that absolute security is an unattainable goal, and that it isn't even realistic to try to keep pace with hackers--let alone a step ahead--Aucsmith urges IT security workers to ensure that their systems are as dynamic as possible, narrowing the window for potential attacks and, in the process, making it more costly for the adversaries. For administrators, that means promptly deploying the patches that vendors issue, such as those that Microsoft pushes out on the second Tuesday of every month.
Security threats have also fundamentally reoriented Microsoft's business operations, dating to a 2002 company-wide directive from then-CEO Bill Gates, who let it be known that in the security wars, "we were losing," Aucsmith says.
That memo gave rise to Microsoft's Trustworthy Computing initiative, which has elevated secure coding as a top company priority, but also set in motion what Aucsmith describes as an in-house intelligence operation rooted in the acknowledgement that the firm didn't have a good sense of who was attacking their systems, what they were after and how they were operating.
Now, more than 10 years later, Microsoft is more convinced than ever that there is no end to the threats that emerge from unexpected system exploits, and that there is no room for complacency in cybersecurity.
Sign up for Computerworld eNewsletters.