Government Can Coordinate a New Vulnerability Response Model
Wenger says advanced frontier AI models are not necessarily discovering entirely new classes of vulnerabilities. Rather, they are finding existing flaws much faster than humans can.
That acceleration creates a challenge for both technology vendors and customers.
The result could be a surge of vulnerability disclosures and software updates arriving simultaneously from multiple vendors. Federal agencies, enterprises and critical infrastructure operators would then face difficult decisions about which vulnerabilities to address first and how quickly they could deploy patches across production environments.
Historically, organizations have relied on risk scoring systems that prioritize vulnerabilities based on severity rankings. However, Wenger said, that approach may become less effective if AI systems are able to chain together multiple lower-severity vulnerabilities to achieve critical outcomes.
Government could play an important convening role in that environment, he said.
Cisco believes there is an opportunity for federal leaders to bring together frontier AI developers, cybersecurity vendors and technology operators to establish processes for evaluating vulnerabilities, prioritizing remediation efforts and accelerating patch deployment.
“We need some greater coordination between the private sector, frontier model makers, companies that are using this to test their products and those who are going to be deploying the patches,” Wenger said.
The company also supports efforts to stage access to powerful cyber-focused AI models, giving defenders an opportunity to identify and remediate vulnerabilities before similar capabilities become widely available.
Cisco’s “Shields Up” paper echoes that theme, arguing that responsible disclosure practices and coordinated vulnerability management will become increasingly important as AI expands the scale and speed of security testing.
EXPLORE: Go from strategy to action with zero-trust networking.
Federal Agencies Face Their Own Modernization Challenge
While government can help organize a broader response, Wenger said, federal agencies must also address long-standing cybersecurity and technology modernization issues within their own environments.
One concern is the shrinking “mean time to exploit” — the period between when a vulnerability is publicly disclosed and when attackers begin exploiting it.
Wenger cited Cisco data that shows that timeline has fallen from approximately 63 days in 2018 to five days in 2023 and now measures less than a day in many cases. With AI-assisted vulnerability discovery continuing to improve, he suggested, that timeline could shrink further, increasing pressure on agencies to automate patching and modernize aging systems.
As that window continues to narrow, agencies may need to rethink traditional patch management and authorization processes.
Wenger pointed specifically to FedRAMP as an area where modernization could help accelerate security improvements.
“If you have something that’s going to be closing a vulnerability, you shouldn’t have to go back through a whole FedRAMP authorization process in order to be able to take care of fixing the problem,” he said.
He also highlighted recent federal efforts to identify unsupported and end-of-life technologies across agency environments. Asset inventories, firmware updates and lifecycle management programs will become increasingly important as AI-enabled tools make it easier to identify exploitable weaknesses in aging systems.
Federal agencies must first understand what technology they have deployed before they can effectively manage cyber risk, Wenger said.
“We’re never going to make progress against the problem if we don’t have any understanding of how big it is,” he said.
DIVE DEEPER: How agencies are navigating machine identity management.
Foundational Security Controls Become More Important in the AI Era
Despite growing attention on AI-powered cyberattacks, Wenger said, the most effective defenses remain familiar ones.
Zero-trust architectures, least-privilege access controls, multifactor authentication, network segmentation and strong asset management practices continue to provide meaningful protection against both traditional and AI-enhanced threats.
That conclusion is also central to Cisco’s “Shields Up” guidance. The white paper argues that organizations should focus on accelerating adoption of proven cybersecurity controls while also exploring AI-powered defensive capabilities that can help protect legacy infrastructure and automate security operations.
AI is largely exposing weaknesses that already exist rather than creating entirely new attack categories, Wenger said.
The challenge for government agencies is that those weaknesses can now be discovered and exploited much faster.
“The kinds of things that you can do to reduce blast radius by isolating and segmenting, so that if something gets popped, you don’t have other things near it get popped — that’s always been good advice,” Wenger said. “But it’s all the more so at this moment.”