Federal officials reportedly are considering significantly cutting the amount of time U.S. agencies have to fix critical vulnerabilities in the wake of the introduction of Anthropic\u2019s Mythos and OpenAI\u2019s GPT-5.4-Cyber, frontier AI models that are particularly good at not only detecting software security flaws but also exploiting them.<\/p>\n
Citing unnamed sources, Reuters reported<\/a> that U.S National Cyber Director Sean Cairncross and Nick Andersen, acting head of CISA, are considering slashing the time U.S. agencies have to fix flaws that are being actively exploited from two weeks to three days.<\/p>\n The drastically reduced deadline reflects the concern fueled by the unveiling of Mythos and GPT-5.4-Cyber<\/a> last month. Both Anthropic and OpenAI limited the release somewhat of the frontier models, but their capabilities are raising concerns about the future of cybersecurity.<\/p>\n In a blog post<\/a> introducing Mythos and Anthropic\u2019s new Project Glasswing \u2013 where select security vendors, like Google Microsoft, Nvidia, Cisco, and Amazon Web Services, and researchers are using the model to develop advanced cybersecurity capabilities \u2013 the AI vendor wrote that its general-purpose model \u201creveals a stark fact: AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.\u201d<\/p>\n Detect and Exploit Flaws<\/p>\n Threat actors that gain access to Mythos or GPT-5.4-Cyber could find software security flaws that vendors and cybersecurity research teams don\u2019t know about, and then quickly create exploit for those vulnerabilities, reducing the time to exploit from weeks or days to minutes or hours.<\/p>\n \u201cThe fallout \u2013 for economies, public safety, and national security \u2013 could be severe,\u201d Anthropic wrote. \u201cProject Glasswing is an urgent attempt to put these capabilities to work for defensive purposes.\u201d<\/p>\n Government Concerns<\/p>\n Mythos and GPT-5.4-Cyber have raised concerns both inside and outside of the federal government. Days after Anthropic\u2019s announcement of Mythos, Treasury Secretary Scott Bessent and Jerome Powell, chairman of the Federal Reserve, met with the CEOs<\/a> of the country\u2019s largest banks, including Citi and Bank of America, about the dangers Mythos poses if it falls into the hands of cybercriminals.<\/p>\n More recently, White House officials told Anthropic they oppose the AI vendor\u2019s plan<\/a> to expand access to Mythos to about 70 more organizations, citing concerns about the threat of the model\u2019s misuse and the infrastructure necessary for such a rollout. Among the concerns is that shortly after Mythos was announced, there were reports of unauthorized access<\/a> by users who got in through private channels.<\/p>\n Another worry was whether Anthropic had to necessary infrastructure to support the additional users. If not, it could slow down the cybersecurity work some government agencies are doing that require access to Mythos.<\/p>\n A Good Idea, but Difficult to Implement<\/p>\n Security pros told Security Boulevard that faster security flaw patching is a good idea, but that the government can\u2019t expect it can happen with the ease of flipping a light switch. There are structural challenges, and the speed with which bad actors armed with AI tools can now access vulnerable systems is often fewer than three days.<\/p>\n \u201cHaving spent the last decade working with federal CIOs and CISOs on this challenge \u2013 albeit before the release of Mythos and GPT-5.4-Cyber \u2013 most organizations are not yet equipped to safely validate, prioritize, and remediate critical or actively exploited vulnerabilities at that pace without risking service disruption or incomplete fixes,\u201d said Matthew Hartman, who is now chief strategy officer at Merlin Group after spending almost 15 year with the U.S. Department of Homeland Security, including most of the his last five years there with CISA. \u201cClosing that gap will require sharper prioritization, along with significant investment in automation and real-time asset visibility.\u201d<\/p>\n Structural Challenges<\/p>\n Louis Eichenbaum, federal CTO at ColorTokens, called the idea a step in the right direction, but added that it isn\u2019t nearly enough.<\/p>\n \u201cEven if agencies could patch every system within three days, that timeline is already too long in an environment where adversaries are using AI to discover and exploit vulnerabilities in near real time,\u201d Eichenbaum said. \u201cWe also must acknowledge a structural reality: a significant portion of federal environments, particularly legacy and OT systems, cannot be patched quickly, and in some cases cannot be patched at all without risking mission disruption.\u201d<\/p>\n \u201cPatching alone is no longer a sufficient vulnerability management strategy,\u201d he added. \u201cAgencies must complement patching with a containment strategy.\u201d<\/p>\n Part of such a strategy requires microsegementation, which would enable security teams to create secure and policy-enforced boundaries around vulnerable systems that restrict traffic flows and prevent lateral movement by attackers even if a system is compromised, Eichenbaum said. It would reduce the reach of the exploitation and give greater visibility to defenders.<\/p>\n Patching is a Complex Process<\/p>\n Another concern is that while a tighter deadline would force companies to operate faster, security patches from vendors or open source communities may not always exist in the accelerated timeframe, said Morey Haber, chief security advisor at\u00a0BeyondTrust. If they do, they still need to go through enough quality issuance testing to ensure they would create other vulnerabilities or break functionality.<\/p>\n \u201cIn addition, patching in large organizations is not a single action by one individual or team,\u201d Haber said. \u201cIt is a chain of dependencies to verify asset discovery, impact analysis, regression testing, change management, outage coordination, and often regulatory validation. In many environments, especially those tied to critical infrastructure or financial systems, a patch is not deployed until absolutely necessary because of the downtime needed simply to apply the patch and reboot.\u201d<\/p>\n He added that an accelerated timeline will only work with organizations that already have extensive patch automation, real-time vulnerability management, identity-centric controls, and other features.<\/p>\n \u201cFor everyone else, you cannot compress remediation timelines if you have not first compressed your reporting and exposure of risk first,\u201d Haber said.<\/p>\n","protected":false},"excerpt":{"rendered":"Federal officials reportedly are considering significantly cutting the amount of time U.S. agencies have to fix critical vulnerabilities…\n","protected":false},"author":2,"featured_media":27051,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[53,2445,7539,7540],"class_list":{"0":"post-27050","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-anthropic","8":"tag-anthropic","9":"tag-event","10":"tag-icon","11":"tag-link"},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/27050","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/comments?post=27050"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/27050\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media\/27051"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media?parent=27050"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/categories?post=27050"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/tags?post=27050"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}