The US government is preparing for a new era of cyber warfare where hackers armed with advanced AI can exploit software vulnerabilities in hours rather than weeks. Cybersecurity officials are now considering dramatically shorter deadlines for fixing critical flaws in government IT systems to keep pace with this accelerated threat landscape.
The proposed changes would cut response times from the current two to three weeks down to just three days for actively exploited vulnerabilities, according to sources familiar with discussions at the Cybersecurity and Infrastructure Security Agency (CISA). This represents one of the most significant shifts in government cybersecurity policy as officials grapple with AI-powered hacking tools that are fundamentally changing the speed of cyber warfare.
The urgency stems from the emergence of sophisticated AI models like Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber, which can quickly identify and exploit software flaws that previously would have taken hackers much longer to discover and weaponize. While hackers have used AI tools since at least 2023, these newer models can compress attack timelines from months or weeks down to mere hours in some cases.
“If you’re going to protect civil agencies, you’re going to have to move faster,” said Stephen Boyer, founder of cybersecurity company Bitsight. “We don’t have as much of a window as we used to have.”
The timeline compression reflects a broader shift in cybersecurity strategy as defenders realize they’re operating in an environment where traditional response times may no longer be adequate. CISA has maintained a catalog of known exploited vulnerabilities (KEVs) for years, typically giving civilian agencies three weeks to patch critical flaws, though this recently dropped to around two weeks.
The proposed three-day deadline would become the new default, representing a ten-fold acceleration in expected response times. The discussions involve CISA’s acting chief Nick Andersen and national cyber director Sean Cairncross, though no final decision has been announced.
This shift carries implications far beyond federal agencies. State and local governments, along with private businesses, often look to CISA’s standards as benchmarks for their own cybersecurity practices. “This is a signal to others that says, ‘Hey you need to do this more quickly,'” explained Nitin Natarajan, former deputy director of CISA under President Joe Biden.
However, the aggressive timeline faces significant practical challenges:
- Resource constraints at CISA following budget cuts and staffing reductions under the Trump administration
- Technical complexity of properly testing patches before deployment
- Varying capabilities across different government agencies and IT environments
- Potential for rushed fixes to introduce new vulnerabilities
“Realistically, three days is simply impossible for some environments,” warned Kecia Hoyt, a vice president at threat intelligence firm Flashpoint. She noted that proper software patching often requires extensive testing to avoid system disruptions or security gaps.
The banking industry has been particularly affected by the rollout of more advanced AI models, with regulators scrambling to assess the full scope of risks posed by these tools. The speed at which AI can now analyze code and identify attack vectors has caught many organizations off guard.
John Hammond, senior principal security researcher at Huntress, acknowledged that three-day deadlines would represent “quite a change” for the industry. While cautiously optimistic about faster response times, he emphasized that “only time will tell how well the industry keeps up.”
The proposed changes highlight a fundamental challenge facing cybersecurity professionals: balancing speed with thoroughness in an environment where both attackers and defenders are increasingly relying on AI capabilities. As these tools become more sophisticated and accessible, the traditional cat-and-mouse game of cybersecurity is accelerating to unprecedented speeds.
For government agencies already struggling with cybersecurity staffing and budget constraints, the shorter deadlines could create additional pressure to automate more of their security operations or risk falling behind in the race against AI-powered threats. The success or failure of this approach may well determine how effectively the US can defend its digital infrastructure in an era of AI-enhanced cyber warfare.