A new executive order aims to put gas in the federal cybersecurity tank and prepare the government for frontier AI models like Anthropic’s Claude Mythos, but private sector participation is voluntary and practitioner impact remains to be seen.

The executive order, which the White House unveiled this week, aims to prioritize cybersecurity in the Trump administration and encourage the private sector to share AI frontier models with the federal government for an early preview prior to releasing the model publicly. 

President Donald Trump’s second term has butted up against the cybersecurity community. Early last year, the administration effectively shuttered the Cyber Safety Review Board, and this was followed with mass CISA layoffs, cybersecurity-focused budgetary cuts, and other actions such as a withdrawal from cybersecurity event RSAC Conference

The new executive order, “Promoting Advanced Artificial Intelligence Innovation and Security,” could reverse this course. Sec. 2, Upgrading American Systems for Advanced AI, orders the Committee on National Security Systems and Secretary of Defense Pete Hegseth to take action to “prioritize the cyber defense of National Security Systems” within 30 days.

Related:Stressors, AI Forcing Changes to Cybersecurity Teams

Moreover, most other cyber stakeholders, including the Department of Homeland Security (DHS), the Director of the Office of Management and Budget (OMB), the assistant to the president for National Security Affairs, and the National Cyber Director are ordered to expedite and prioritize the cyber defense of civilian federal government information systems, as well as establish or expand federal programs and cybersecurity services to enhance AI defensive tool deployment.

The EO will also “facilitate access to cybersecurity tools and services including, where appropriate, covered frontier models for agencies, State and local authorities, and operators of critical infrastructure such as rural hospitals, community banks, and local utilities.”

Rob T. Lee, chief AI officer at SANS Institute, calls the government’s promised investment into cybersecurity, and particularly its investment into critical infrastructure and communities, “a genuine public good.” 

“Whether this head start helps,” Lee says, “depends on implementation, and implementation means collaboration between the agencies who will build the work with the private sector instead of handing it down.”

The EO signals an apparent intention to invest in cybersecurity that includes increased budgets and hiring. To that latter point, within 60 days, the OMB will create new “placement pathways” for cybersecurity specialists in the federal government.

Related:Operation Escaneo Signals Shift in LatAm Threat Landscape

Devin Maguire, senior manager of product marketing at AI development security firm Cycode, says cybersecurity is a primary concern when it comes to AI, and Cycode sees the executive order “as a signal of the government’s recognition of the cyber capabilities of frontier AI models and the clear and present risks they pose.”

A ‘Voluntary’ Framework for Early AI Access

Trump ordered relevant parties to establish a new voluntary framework for AI developers to provide the federal government with “secure early access” to certain frontier models that are covered by a set of standards, which will also be developed as part of the executive order. Companies are not required to participate or get government pre-approval prior to releasing frontier models.

PwC Cyber & Privacy Innovation Institute leader Tonya Ugoretz tells Dark Reading that the voluntary review process offers an opportunity to identify potential security concerns before release, demonstrate responsible stewardship, and help shape the standards governing future AI deployments.

“There is also a practical consideration: companies want predictable relationships with policymakers and regulators, particularly in a rapidly evolving area like frontier AI,” says Ugoretz, who previously served in the FBI for more than 20 years. “While the framework is voluntary, I expect there will be strong incentives for companies operating at the leading edge of model development to participate. Not doing so could increase calls for mandatory regulation.”

Related:EU Gets a Head Start in Developing 6G Network Security

Peter Girnus, senior threat researcher at Trend Micro’s Zero Day Initiative, observed in a thread posted to X that although the early access period is technically optional, the companies deciding whether to participate are also bidding on government contracts and trying to avoid the ire of sophisticated intelligence agencies. 

The government will also build out a new “AI Cybersecurity Clearinghouse” to act as a central hub for sharing information relating to AI-related vulnerability remediation and to help identify and fix software vulnerabilities at scale.

The order comes weeks after Anthropic unveiled Claude Mythos, a large language model (LLM) allegedly capable of discovering critical vulnerabilities and exploits with little handholding on the prompter’s part. This also follows the Department of Defense apparently designating Anthropic a supply chain risk to America’s national security in March.

The final major component includes an order to the attorney general to prioritize the enforcement of “anyone who utilizes AI to illegally access or damage a computer without authorization, or who utilizes AI while engaged in such illegal access to further any other crime.” 

Daniel Kroese, vice of public policy and government affairs at Palo Alto Networks, tells Dark Reading that the executive order on the whole “will marshal much-needed system hardening against the threat of adversarial use of advanced AI.”

How the AI Executive Order Will Affect Security Practitioners

On the practitioner side of things, Ugoretz says that while most companies won’t be part of the select group receiving early access to frontier capabilities, “they will be its beneficiaries.”

“The challenge will be security teams’ capacity to absorb and act on the anticipated stream of vulnerability information and patches the new government clearinghouse is directed to distribute,” she explains. “These teams shouldn’t wait for the spigot to turn on. They should act now to reinforce cybersecurity fundamentals, integrate AI risk into existing governance processes, turn AI tools inward for defensive scanning, and build capacity to respond quickly to discovered vulnerabilities.”

SANS Institute’s Lee says the executive order is a tailwind for work the security community has been doing since April, and it doesn’t replace the program a security team has to run on its own. The effects depend on where organizations sit in the AI model access tier.

“If you end up a trusted partner, you get coordinated patches early. If you don’t, you plan for the public-disclosure pace, which, in practice, means patches arriving in clusters across several vendors at once. The constraint now is verification and the capacity to deploy fixes, not finding the bugs in the first place,” he says. “The baseline work is the same as it was the week the Mythos paper came out: point AI agents at your own code, put AI tooling into your defensive workflows, harden the fundamentals, speed up procurement for defensive tech, and rewrite incident response playbooks for the day that several critical patches landing on the same morning.”





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *