Microsoft's government security expert warns that there's no such thing as perfect security, so systems must be able to adapt and respond to attacks on unforeseen vulnerabilities. WASHINGTON — Federal CIOs, who consistently list cybersecurity as one of their top concerns, aren’t likely to sleep any better after listening to Dave Aucsmith.Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, offered a sobering assessment of the current state of play in information security Tuesday at a conference for federal IT professionals hosted by the software giant.“I do not believe you can create secure computer systems,” Aucsmith says. “So where does that leave you? Systems have to adapt and change in the presence of your adversaries, and you have to understand your adversary in order to adapt and change those systems.” SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe Aucsmith offered his remarks at a time when security workers have been witnessing what he calls “the professionalization of our adversaries,” citing recent high-profile breaches that have hit the banking sector and retailers such as Target and Neiman Marcus. [ Analysis: Federal CIOs Fret Over Budgets, IT Talent, Cybersecurity ] [ More: IT Budgets, Cybersecurity Top Federal CIO Concerns ] Aucsmith emphasizes the dynamic nature of the modern threat landscape, where hackers are growing ever more sophisticated and seeking new vulnerabilities to exploit. That creates a familiar point-counterpoint, with adversaries scrambling to keep ahead of their targets’ latest advances.“I have a classic arms race. And the one thing history has taught us about arms races is that nothing static ever remains secure,” he says.Federal Cybersecurity ‘Unending Mission’ These DaysA similar message comes from Tom Ridge, the former governor of Pennsylvania who went on to serve as the first secretary of homeland security. Ridge, who now heads the consulting firm Ridge Global, calls federal cybersecurity in the 21st century “an unending mission.”“The attack surface has changed. It’s much broader and it’s much wider,” Ridge says. “Hackers today are better organized, certainly better financed and outcome-driven.”The fluid nature of the threats demands adaptive computing systems that can nimbly respond to new warnings or attacks, according to Aucsmith. It also underscores the importance of continuous monitoring and, to the extent possible, sharing information across the public and private sectors about new and emerging threats.[ More: ‘Aurora’ Cyber Attackers Actually Running Counterintelligence ] “What you might be able to do is recognize that attack the first time it occurs somewhere on the planet and respond accordingly,” he says. “If you can move fast enough then, in essence, [hackers] only get one free shot.”Aucsmith also counsels the federal IT community to do a better job in handling more basic aspects of what might be called computer hygiene in the face of fast-moving adversaries. Government agencies, generally, are slow to install security patches and often run outdated versions of software, he says.Since Nothing’s 100 Percent Safe, Adaptability MattersOf course, there’s no set of cybersecurity best practices that will keep the hackers at bay. Aucsmith emphasizes that even the best-designed systems exhibit unintended behaviors. Any vendor claiming to deliver a product built 100 percent to spec is, quite simply, lying.In any sophisticated modern system, the areas where the product deviates from its intended functions are typically where the vulnerabilities will be found. Because those weak spots are unforeseen, though, it’s impossible to defend them against targeted threats thoroughly and preemptively. [ Commentary: McAfee Security Report Suggests 2014 Will Be a Rough Year ]“This is the equivalent of asking yourself, ‘What is it that I do not know?’ That is a very difficult question to answer,” Aucsmith says, arguing that adaptability is an essential feature to enable systems to cope with attacks on unanticipated threat vectors.“We are building systems that are far more complex than our ability to completely understand their behaviors,” Aucsmith says. “So in essence … I have a highly complex system whose complete behavior is not knowable, and I now place it in front of a dedicated adversary. That is a guarantee that the system will be breached. So rather than fool ourselves that we can produce systems that can never be successfully breached, we have to rethink what we do.Concludes Aucsmith: “This is not an argument, by the way, that we shouldn’t do the absolute best that we can to build systems. Rather it’s an argument that that is by and in and of itself insufficient.”Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Related content opinion The changing face of cybersecurity threats in 2023 Cybersecurity has always been a cat-and-mouse game, but the mice keep getting bigger and are becoming increasingly harder to hunt. By Dipti Parmar Sep 29, 2023 8 mins Cybercrime Security brandpost Should finance organizations bank on Generative AI? Finance and banking organizations are looking at generative AI to support employees and customers across a range of text and numerically-based use cases. By Jay Limbasiya, Global AI, Analytics, & Data Management Business Development, Unstructured Data Solutions, Dell Technologies Sep 29, 2023 5 mins Artificial Intelligence brandpost Embrace the Generative AI revolution: a guide to integrating Generative AI into your operations The CTO of SAP shares his experiences and learnings to provide actionable insights on navigating the GenAI revolution. By Juergen Mueller Sep 29, 2023 4 mins Artificial Intelligence feature 10 most in-demand generative AI skills Gen AI is booming, and companies are scrambling to fill skills gaps by hiring freelancers to make the most of the technology. These are the 10 most sought-after generative AI skills on the market right now. By Sarah K. White Sep 29, 2023 8 mins Hiring Generative AI IT Skills Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe