By Raphael Satter
WASHINGTON, May 1 (Reuters) – U.S. cybersecurity officials are considering sharply shorter deadlines for fixing critical flaws in government IT systems, amid concerns hackers could exploit them using artificial‑intelligence tools such as Anthropic’s Mythos, people familiar with the matter said.Â
The move, which has not been previously reported, would slash the deadline for responding to actively exploited vulnerabilities from an average of two or three weeks to three days, the people said.
Anxiety over the power and proliferation of AI models like Mythos and OpenAI’s GPT‑5.4‑Cyber has been building for weeks. Although hackers have been deploying AI since at least 2023, these newer models are said to be able to easily identify previously unknown vulnerabilities or seize on freshly disclosed ones to enable complex hacking operations. So while it previously might have taken hackers several months, weeks, or days to take advantage of software flaws, that timeframe has been compressed, in at least some cases, to a matter of hours.
That in turn is putting pressure on defenders to kick into high gear, said Stephen Boyer, the founder of cybersecurity company Bitsight, which has previously helped CISA catalogue vulnerabilities.Â
“If you’re going to protect civil agencies, you’re going to have to move faster,” Boyer said. “We don’t have as much of a window as we used to have.”
The two sources familiar with the matter said the deadline proposals were being discussed by Nick Andersen, the acting chief of the Cybersecurity and Infrastructure Security Agency, and Sean Cairncross, the U.S. national cyber director. Reuters could not establish whether a final decision on the matter has been made or when one could be expected. CISA and the Office of the National Cyber Director did not immediately offer comment.
CISA has for years curated a catalogue of known-and-exploited vulnerabilities, or KEVs, which are seen as priorities because they are out in the open and actively being abused by criminals or spies. CISA has typically given civilian agencies a three-week deadline to fix such flaws once they are added to the database, according to cybersecurity researcher Glenn Thorpe, although that has recently dropped to around two weeks. Deadlines are occasionally compressed to deal with particularly serious problems, but the new proposal would see the default cut down to just three days, the sources said.
The discussions at CISA come as business leaders and the digital security industry grapple with the fallout from the release of more advanced AI models. The banking industry, in particular, has been sent scrambling as regulators race to get a handle on how dangerous the new technology is. Â
Tightening deadlines at CISA will likely serve as a model for state and local governments as well as businesses and other groups, said Nitin Natarajan, who served as the deputy director of CISA under former President Joe Biden.
“This is a signal to others that says, ‘Hey you need to do this more quickly,'” he said.
Natarajan, who now runs the cyber consultancy NN Global, said speeding up the deadlines made sense given how quickly AI-powered threats were evolving. But he warned that CISA – which has been depleted by deep job cuts and buffeted by government shutdowns under President Donald Trump – needed the capacity to handle the strain of tighter deadlines.
“We’ve seen a reduction in their resources, both in funding and expertise,” Natarajan said.Â
Kecia Hoyt, a vice president at the threat intelligence firm Flashpoint, warned that patching software flaws could be a complicated process involving detailed tests ahead of deployment. “Realistically, three days is simply impossible for some environments,” she said.
John Hammond, the senior principal security researcher at Maryland-based Huntress, said dropping deadlines to three days would be “quite a change.” While he said he was cautiously optimistic about running things faster, “only time will tell how well the industry keeps up.”
(Reporting by Raphael Satter; Editing by Chizu Nomiyama)
