CIOs Must Look to Adaptive Security Systems in Face of Evolving Threats

WASHINGTON — Federal CIOs, who consistently list cybersecurity as one of their top concerns, aren’t likely to sleep any better after listening to Dave Aucsmith.

Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, offered a sobering assessment of the current state of play in information security Tuesday at a conference for federal IT professionals hosted by the software giant.

“I do not believe you can create secure computer systems,” Aucsmith says. “So where does that leave you? Systems have to adapt and change in the presence of your adversaries, and you have to understand your adversary in order to adapt and change those systems.”

Aucsmith offered his remarks at a time when security workers have been witnessing what he calls “the professionalization of our adversaries,” citing recent high-profile breaches that have hit the banking sector and retailers such as Target and Neiman Marcus.

[ Analysis: Federal CIOs Fret Over Budgets, IT Talent, Cybersecurity ]

[ More: IT Budgets, Cybersecurity Top Federal CIO Concerns ]

Aucsmith emphasizes the dynamic nature of the modern threat landscape, where hackers are growing ever more sophisticated and seeking new vulnerabilities to exploit. That creates a familiar point-counterpoint, with adversaries scrambling to keep ahead of their targets’ latest advances.

“I have a classic arms race. And the one thing history has taught us about arms races is that nothing static ever remains secure,” he says.

Federal Cybersecurity ‘Unending Mission’ These Days

A similar message comes from Tom Ridge, the former governor of Pennsylvania who went on to serve as the first secretary of homeland security. Ridge, who now heads the consulting firm Ridge Global, calls federal cybersecurity in the 21st century “an unending mission.”

“The attack surface has changed. It’s much broader and it’s much wider,” Ridge says. “Hackers today are better organized, certainly better financed and outcome-driven.”

The fluid nature of the threats demands adaptive computing systems that can nimbly respond to new warnings or attacks, according to Aucsmith. It also underscores the importance of continuous monitoring and, to the extent possible, sharing information across the public and private sectors about new and emerging threats.

[ More: ‘Aurora’ Cyber Attackers Actually Running Counterintelligence ]

“What you might be able to do is recognize that attack the first time it occurs somewhere on the planet and respond accordingly,” he says. “If you can move fast enough then, in essence, [hackers] only get one free shot.”

Aucsmith also counsels the federal IT community to do a better job in handling more basic aspects of what might be called computer hygiene in the face of fast-moving adversaries. Government agencies, generally, are slow to install security patches and often run outdated versions of software, he says.

Since Nothing’s 100 Percent Safe, Adaptability Matters

Of course, there’s no set of cybersecurity best practices that will keep the hackers at bay. Aucsmith emphasizes that even the best-designed systems exhibit unintended behaviors. Any vendor claiming to deliver a product built 100 percent to spec is, quite simply, lying.

In any sophisticated modern system, the areas where the product deviates from its intended functions are typically where the vulnerabilities will be found. Because those weak spots are unforeseen, though, it’s impossible to defend them against targeted threats thoroughly and preemptively.

[ Commentary: McAfee Security Report Suggests 2014 Will Be a Rough Year ]

“This is the equivalent of asking yourself, ‘What is it that I do not know?’ That is a very difficult question to answer,” Aucsmith says, arguing that adaptability is an essential feature to enable systems to cope with attacks on unanticipated threat vectors.

“We are building systems that are far more complex than our ability to completely understand their behaviors,” Aucsmith says. “So in essence … I have a highly complex system whose complete behavior is not knowable, and I now place it in front of a dedicated adversary. That is a guarantee that the system will be breached. So rather than fool ourselves that we can produce systems that can never be successfully breached, we have to rethink what we do.

Concludes Aucsmith: “This is not an argument, by the way, that we shouldn’t do the absolute best that we can to build systems. Rather it’s an argument that that is by and in and of itself insufficient.”

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.