Escalating Concerns Over AI-Driven Cyber Threats Prompt Debate on Patching Protocols
The rising trepidation surrounding artificial intelligence (AI)-induced cyber incursions has ignited fervent discussions regarding the urgency with which organizations should address software vulnerabilities.
This includes pressing questions about whether federal entities ought to be mandated to adhere to patch deadlines in days rather than the customary weeks.
Cybersecurity specialists contend that expediting patching processes is essential, particularly in light of recent AI advancements. However, many argue that merely hastening deadlines is unlikely to facilitate quicker resolutions and could potentially produce adverse effects.
In the wake of Anthropic’s Claude Mythos preview, discussions among leaders from the Trump administration have reportedly contemplated the reduction of the standard timeframe for federal agencies to remediate Common Vulnerabilities and Exposures (CVEs) listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
According to reports by Reuters, leaders at both CISA and the Office of the National Cyber Director have mulled over the prospect of truncating the standard KEV deadline to a mere three days, as opposed to the current duration of two to three weeks.
CISA did not provide a comment regarding the discussions about KEV deadlines. However, it is noteworthy that all four entries into the KEV catalog from May 6 to May 14 featured a deadline of three days.
The acceleration of patching timelines is anticipated to pose considerable challenges for numerous federal agencies.
Hemant Baidwan, former Chief Information Security Officer at the Department of Homeland Security, remarked that transitioning to a three-day deadline is “not going to be an easy thing,” yet he acknowledged that “it does need to happen.”
“We cannot afford the luxury of adhering to antiquated remediation cycles, waiting 30, 60, or even 120 days to address a security vulnerability,” asserted Baidwan, who is now Executive CISO at Knox Systems, in communication with Federal News Network.
This sense of urgency has been exacerbated by the preview of Claude Mythos. Rob Joyce, former Cybersecurity Director at the National Security Agency, indicated that “even before Mythos, the risk environment had transformed dramatically” due to the emergence of large language models.
During a recent webinar hosted by Secureframe, Joyce articulated that AI systems are now detecting software vulnerabilities “at an industrial scale.”
“We are not identifying bugs more rapidly due to an increase in human resources,” Joyce explained. “Our velocity in detection has surged primarily because the discovery loop is predominantly machine-driven.”
Joyce advocated for swift upgrades to outdated technologies, which AI has shown to easily exploit, while emphasizing that “known vulnerabilities will inevitably be exploited.”
“Determine methods for expedited patching and consider decommissioning end-of-life systems,” Joyce advised. “The CISA KEV catalog serves as an unmistakable warning that threats are imminent.”
Accelerating KEV Timelines
Even prior to the revelations surrounding Mythos last month, CISA had been actively condensing deadlines for the remediation of vulnerabilities listed in the KEV.
In 2026, the average deadline for vulnerabilities recorded in the KEV catalog stands at a mere 14.4 days. In stark contrast, the average was 19.7 days last year, while in 2024, the deadlines exceeded 20 days, on average.
CISA established the KEV catalog in 2021 to provide a systematic approach for federal agencies to rectify hazardous software flaws, eschewing reliance on isolated emergency directives.
The preliminary objective was to implement a standard deadline of two weeks or less. However, officials swiftly recognized that many agencies were failing to meet these expectations, routinely surpassing the deadlines by weeks or even months, as noted by Tod Beardsley, former section chief of the vulnerability response section at CISA and now Vice President of Research at runZero.
“Paradoxically, tighter deadlines have resulted in extended patch durations,” remarked Beardsley.
“When the criteria are framed such that you are deemed successful if you meet the deadline, and unsuccessful if you exceed it, there is a greater risk of failing outright once that deadline passes,” he elaborated.
From 2022 to 2025, CISA set the deadlines for most CVEs at three weeks, as Beardsley noted that this two- to three-week span emerged as a “sweet spot” for most agencies.
Since March of this year, however, CISA has commenced assigning the majority of KEV deadlines at 14 days. Of the 61 vulnerabilities historically cataloged with patch deadlines of seven days or less, 25 have occurred this year.
“It has not escaped notice that the timelines have already been abbreviated,” Beardsley acknowledged.
An anonymous federal Chief Information Officer, who was not authorized to speak publicly, admitted the necessity for patching timelines to approach immediacy. Agencies must “accelerate both the prioritization and remediation of system vulnerabilities,” which may include greater reliance on automation.
However, the CIO emphasized that agencies should focus on vulnerabilities genuinely exploitable within their specific IT frameworks.
“I welcome a more accelerated timeline, but recognize that merely identifying a CVE does not imply it affects our systems,” the CIO said.
“Additionally, there may not be a swift solution. I contend that added overhead from reporting and data calls can exacerbate issues more than sequential timeline modifications. Prioritizing the individuals executing the work rather than simply documenting protocol should mitigate complications.”
Baidwan highlighted the importance of prioritization, particularly in a landscape where AI is amplifying the frequency of software vulnerabilities.
“The more expediently you can achieve this, the sooner you can assert, ‘Well, CISA, I cannot mitigate this in three days, but I have implemented a countermeasure that complicates exploitation for adversaries,'” he suggested.
“In the interim, I have already allocated my resources towards remediating genuinely vulnerable targets.”
Beardsley noted that agencies proficient in patch management typically possess a clear understanding of their environment and develop strategic playbooks to manage software updates, particularly for the “unusual software” some agencies rely upon.
He posited that CISA could advance novel methodologies and best practices pertaining to software lifecycle management.
“CISA occupies a unique stance, advising and occasionally directing 102 agencies,” Beardsley stated. “By concentrating on just one or two, they could confidentially produce reports detailing effective strategies and illustrating the technological habits of successful agencies.”
Source link: Federalnewsnetwork.com.
