Exclusive-US officials weigh cutting deadlines to fix digital flaws amid worries over AI-powered hacking, sources say
· CNA · JoinRead a summary of this article on FAST.
Get bite-sized news via a new
cards interface. Give it a try.
Click here to return to FAST Tap here to return to FAST
FAST
WASHINGTON, May 1 : U.S. cybersecurity officials are considering sharply shorter deadlines for fixing critical flaws in government IT systems, amid concerns hackers could exploit them using artificial‑intelligence tools such as Anthropic’s Mythos, people familiar with the matter said.
The move, which has not been previously reported, would slash the deadline for responding to actively exploited vulnerabilities from two weeks to three days, the people said.
Anxiety over the power and proliferation of AI models like Mythos and OpenAI's GPT‑5.4‑Cyber has been building for weeks. Although hackers have been deploying AI since at least 2023, these newer models are said to be able to easily identify previously unknown vulnerabilities or seize on freshly disclosed ones to enable complex hacking operations. So while it previously might have taken hackers several months, weeks, or days to take advantage of software flaws, that timeframe has been compressed, in at least some cases, to a matter of hours.
That in turn is putting pressure on defenders to kick into high gear, said Stephen Boyer, the founder of cybersecurity company Bitsight, which has previously helped CISA catalogue vulnerabilities.
CNA Games
Guess Word
Crack the word, one row at a time
Buzzword
Create words using the given letters
Mini Sudoku
Tiny puzzle, mighty brain teaser
Mini Crossword
Small grid, big challenge
Word Search
Spot as many words as you can
Show More
Show Less
"If you're going to protect civil agencies, you're going to have to move faster," Boyer said. "We don't have as much of a window as we used to have."
The two sources familiar with the matter said the deadline proposals were being discussed by Nick Andersen, the acting chief of the Cybersecurity and Infrastructure Security Agency, and Sean Cairncross, the U.S. national cyber director. Reuters could not establish whether a final decision on the matter has been made or when one could be expected. CISA and the Office of the National Cyber Director did not immediately offer comment.
CISA has for years curated a catalogue of known-and-exploited vulnerabilities, or KEVs, which are seen as priorities because they are out in the open and actively being abused by criminals or spies. CISA typically gives civilian agencies a two-week deadline to fix such flaws once they are added to the database. Although the deadlines are occasionally compressed to deal with particularly serious problems, the new proposals would see the default cut down to just three days, the sources said.; Ed
The discussions at CISA come as business leaders and the digital security industry grapple with the fallout from the release of more advanced AI models. The banking industry, in particular, has been sent scrambling as regulators race to get a handle on how dangerous the new technology is.
Tightening deadlines at CISA will likely serve as a model for state and local governments as well as businesses and other groups, said Nitin Natarajan, who served as the deputy director of CISA under former President Joe Biden.
"This is a signal to others that says, 'Hey you need to do this more quickly,'" he said.
Natarajan, who now runs the cyber consultancy NN Global, said speeding up the deadlines made sense given how quickly AI-powered threats were evolving. But he warned that CISA - which has been depleted by deep job cuts and buffeted by government shutdowns under President Donald Trump - needed the capacity to handle the strain of tighter deadlines.
"We've seen a reduction in their resources, both in funding and expertise," Natarajan said.
Kecia Hoyt, a vice president at the threat intelligence firm Flashpoint, warned that patching software flaws could be a complicated process involving detailed tests ahead of deployment. "Realistically, three days is simply impossible for some environments," she said.
John Hammond, the senior principal security researcher at Maryland-based Huntress, said dropping deadlines from two weeks to three days would be "quite a change." While he said he was cautiously optimistic about running things faster, "only time will tell how well the industry keeps up."
Newsletter
Week in Review
Subscribe to our Chief Editor’s Week in Review
Our chief editor shares analysis and picks of the week's biggest news every Saturday.
Sign up for our newsletters
Get our pick of top stories and thought-provoking articles in your inbox
Get the CNA app
Stay updated with notifications for breaking news and our best stories
Get WhatsApp alerts
Join our channel for the top reads for the day on your preferred chat app