The Cybersecurity and Infrastructure Security Agency plans to release a binding directive on Wednesday that tasks the federal government with rethinking how it manages risks to its networks and prioritizing cyber vulnerabilities that demand the most urgency, agency acting director Nick Andersen said.
The goal is to push agencies to focus less on the sheer number of known cyber vulnerabilities and more on the risks those flaws pose if they’re exploited by hackers, said Andersen, who added that the cyber community needs to “be okay with saying there are some systems that are less important than others.”
“If we try to say that everything is equally as important, then absolutely nothing’s going to be important,” he told an audience of industry professionals at a Tuesday event held by cybersecurity firm Axonius.
“It’s going to be really hard for us, if one day we have to have those hard conversations with people about how we knew better and how we didn’t prioritize risk appropriately, how we didn’t make the hard choices,” he added.
The remarks are an acknowledgment that agencies cannot protect every system equally through patch mandates, and must instead focus their often limited resources on the vulnerabilities and networks whose compromise could cause the greatest damage.
Federal agencies are a constant target for hackers. For years, adversaries have compromised government systems for access to emails, employee records and other sensitive data.
Government agencies also oversee industry sectors such as energy, healthcare, telecommunications and water, meaning their cyber staff must also weigh how disruptions could ripple across critical services.
On the sidelines of the event, Andersen told reporters that artificial intelligence-backed cyber threats are one factor informing discussions around the directive, but he said CISA’s work on the AI ecosystem still predates the release of powerful systems such as Anthropic’s Mythos.
The administration’s approach to AI has shifted in recent months as officials confront a new class of cyber-focused models that can rapidly identify vulnerabilities across computer networks, becoming a major driver of discussions over how advanced AI systems could reshape both defensive and offensive cyber operations.
President Donald Trump recently signed an AI security executive order that encourages developers to submit powerful new models to a 30-day government review before public release. On Friday, he signed a memorandum aimed at speeding up government use of advanced AI across the military and intelligence community.
“Is the [directive] a recognition that we’re in a different dynamic environment with a shorter timeline to weaponization and exploitation? Yeah, that’s certainly a part of it,” Andersen said. “But well before these last couple of months, this is a conversation that we were having about this ever-shrinking window we have for addressing vulnerabilities today.”
“It’s too exceedingly easy for malicious cyber actors to be able to exploit [vulnerabilities] as soon as they’re published and be able to take advantage of the fact that a lot of people are just not as well-resourced as we would like, and they’re not as able to quickly have a continuous patch cycle to be able to address some of these devices,” he added.
Read the full article here