U.S. Officials Consider Three-Day Patch Rule in Wake of Anthropic’s Mythos
Federal officials reportedly are considering significantly cutting the amount of time U.S. agencies have to fix critical vulnerabilities in the wake of the introduction of Anthropic’s Mythos and OpenAI’s GPT-5.
5 Capabilities of Workload Access Managers – And Why WAM Isn’t WIM
Federal officials reportedly are considering significantly cutting the amount of time U.S. agencies have to fix critical vulnerabilities in the wake of the introduction of Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber, frontier AI models that are particularly good at not only detecting software security flaws but also exploiting them.Citing unnamed sources, Reuters reported that U.S National Cyber Director Sean Cairncross and Nick Andersen, acting head of CISA, are considering slashing the time U.S. agencies have to fix flaws that are being actively exploited from two weeks to three days.The drastically reduced deadline reflects the concern fueled by the unveiling of Mythos and GPT-5.4-Cyber last month. Both Anthropic and OpenAI limited the release somewhat of the frontier models, but their capabilities are raising concerns about the future of cybersecurity.In a blog post introducing Mythos and Anthropic’s new Project Glasswing – where select security vendors, like Google Microsoft, Nvidia, Cisco, and Amazon Web Services, and researchers are using the model to develop advanced cybersecurity capabilities – the AI vendor wrote that its general-purpose model “reveals a stark fact: AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.”Detect and Exploit FlawsThreat actors that gain access to Mythos or GPT-5.4-Cyber could find software security flaws that vendors and cybersecurity research teams don’t know about, and then quickly create exploit for those vulnerabilities, reducing the time to exploit from weeks or days to minutes or hours.“The fallout – for economies, public safety, and national security – could be severe,” Anthropic wrote. “Project Glasswing is an urgent attempt to put these capabilities to work for defensive purposes.”Government ConcernsMythos and GPT-5.4-Cyber have raised concerns both inside and outside of the federal government. Days after Anthropic’s announcement of Mythos, Treasury Secretary Scott Bessent and Jerome Powell, chairman of the Federal Reserve, met with the CEOs of the country’s largest banks, including Citi and Bank of America, about the dangers Mythos poses if it falls into the hands of cybercriminals.More recently, White House officials told Anthropic they oppose the AI vendor’s plan to expand access to Mythos to about 70 more organizations, citing concerns about the threat of the model’s misuse and the infrastructure necessary for such a rollout. Among the concerns is that shortly after Mythos was announced, there were reports of unauthorized access by users who got in through private channels.Another worry was whether Anthropic had to necessary infrastructure to support the additional users. If not, it could slow down the cybersecurity work some government agencies are doing that require access to Mythos.A Good Idea, but Difficult to ImplementSecurity pros told Security Boulevard that faster security flaw patching is a good idea, but that the government can’t expect it can happen with the ease of flipping a light switch. There are structural challenges, and the speed with which bad actors armed with AI tools can now access vulnerable systems is often fewer than three days.“Having spent the last decade working with federal CIOs and CISOs on this challenge – albeit before the release of Mythos and GPT-5.4-Cyber – most organizations are not yet equipped to safely validate, prioritize, and remediate critical or actively exploited vulnerabilities at that pace without risking service disruption or incomplete fixes,” said Matthew Hartman, who is now chief strategy officer at Merlin Group after spending almost 15 year with the U.S. Department of Homeland Security, including most of the his last five years there with CISA. “Closing that gap will require sharper prioritization, along with significant investment in automation and real-time asset visibility.”Structural ChallengesLouis Eichenbaum, federal CTO at ColorTokens, called the idea a step in the right direction, but added that it isn’t nearly enough.“Even if agencies could patch every system within three days, that timeline is already too long in an environment where adversaries are using AI to discover and exploit vulnerabilities in near real time,” Eichenbaum said. “We also must acknowledge a structural reality: a significant portion of federal environments, particularly legacy and OT systems, cannot be patched quickly, and in some cases cannot be patched at all without risking mission disruption.”“Patching alone is no longer a sufficient vulnerability management strategy,” he added. “Agencies must complement patching with a containment strategy.”Part of such a strategy requires microsegementation, which would enable security teams to create secure and policy-enforced boundaries around vulnerable systems that restrict traffic flows and prevent lateral movement by attackers even if a system is compromised, Eichenbaum said. It would reduce the reach of the exploitation and give greater visibility to defenders.Patching is a Complex ProcessAnother concern is that while a tighter deadline would force companies to operate faster, security patches from vendors or open source communities may not always exist in the accelerated timeframe, said Morey Haber, chief security advisor at BeyondTrust. If they do, they still need to go through enough quality issuance testing to ensure they would create other vulnerabilities or break functionality.“In addition, patching in large organizations is not a single action by one individual or team,” Haber said. “It is a chain of dependencies to verify asset discovery, impact analysis, regression testing, change management, outage coordination, and often regulatory validation. In many environments, especially those tied to critical infrastructure or financial systems, a patch is not deployed until absolutely necessary because of the downtime needed simply to apply the patch and reboot.”He added that an accelerated timeline will only work with organizations that already have extensive patch automation, real-time vulnerability management, identity-centric controls, and other features.“For everyone else, you cannot compress remediation timelines if you have not first compressed your reporting and exposure of risk first,” Haber said.
About Author
