"The fortress model simply will not work for cyber," said one senior military officer who has been deeply engaged in the debate for several years. "Someone will always get in."

So what do we do? When dealing with symmetric threats, like another nation, the U.S. can threaten retaliation as long as it has a credible cyberwarfare capability. That doesn't work for asymmetric threats, like those from a band of nationalistic attackers, and it certainly isn't an option for businesses.

We can take a lesson from evolution which has managed to produce a wide array of organisms that can survive in environments riddled with pathogens, like bacteria and viruses.

Design patterns like redundant systems, feedback loops and ability to identify malicious agents are part of the solution. Consider one example. Our immune systems can detect chemical markers on cells that don't belong in the body; digital identification mechanisms serve and analogous function in distributed systems. We know a request is valid if it is accompanied by a digital certificate from someone with authorization to request the service. Being able to reliably identify an agent operating in your environment (biological or digital) is a basic requirement of robust security. There are more but this demonstrates the idea.

The burden of securing infrastructure is becoming more a matter of how we design complex systems to be resilient and less about building walls and keeping the bad guys out.