A Buffer Is Not a Cure

The AI cybersecurity executive order buys defenders a 30-day hurricane warning. What we do before landfall is the whole question.

A reporter asked me last week whether 90 days was the right number. The executive order signed this week answered with 30. I didn’t have a clean number for him then and I don’t now, because from a pure security standpoint there isn’t one.

There’s too much code exposed and too much testing left undone for any window to make this safe. (Ask a security person how much warning they want and the honest answer is “all of it.”)

The executive order Trump signed Tuesday, “Promoting Advanced Artificial Intelligence Innovation and Security,” asks AI developers to give the federal government up to 30 days with a covered frontier model before it reaches trusted partners, and then everyone else on the public disclosure cycle. The draft had said 90.

Security people wanted more than that. The labs wanted far less. Thirty is where it landed, a long way down from the draft, and nobody in either camp is happy. That is usually the shape of a real compromise, not a failure of one.

The buffer is not a fix. It’s a hurricane warning. You board the windows, you move what you can, and the storm still makes landfall. The value isn’t prevention. It’s the time to prepare, and the fact that you aren’t surprised when it hits. (Surprise is the expensive part.) Read “signed” as “problem solved” rather than “clock running,” and we will have wasted the one thing the buffer actually gives us.

There’s a quieter assumption in the whole debate: that this is a one-shot problem. Run the model across the public code, close the gaps, declare victory. It doesn’t work that way.

Source code analysis is Mythos’s current focus, which is why open source gets scanned first. Anyone can point it at the Linux kernel, and if there’s a flaw in something that runs in every cloud on earth, it gets found.

The defensive upside is real. Organizations can finally scan their own codebases before they push to production instead of after the breach, and full vulnerability analysis could become routine. The defensive upside and the offensive downside are the same tool. You don’t get one without the other.

But the same capability does black box exploitation well, and that’s the part that breaks the one-shot fantasy. You don’t need source code to find a zero day. You poke at how the product behaves, watch where it breaks, and build the exploit from the outside.

That is how nation-state teams have gone after Microsoft and Apple and Google for years, none of which hand over their source. Closing your code does not close the door. The vulnerabilities get found either way. (Adversaries don’t wait for their tier assignment.)

Which gets to what I actually worry about. Access to these capabilities is not equal, and it isn’t going to be. JPMorgan, Amazon, the players sitting on their own data centers, they’ll be fine. The order names rural hospitals, community banks, and local utilities as a concern, correctly, and then offers them a discretionary “where appropriate” while the early access goes to trusted partners selected in collaboration with the government. The hospital in Springfield is at the back of that line.

The buffer also rests on an assumption I’m not sure holds: that the good guys can control access and the bad guys can’t get it. We know DPRK operatives get hired into Western companies as remote engineers and security staff. If an adversary genuinely wants to run their own testing against one of these models, the cleanest path is to already be inside an organization that has it. (I’m not saying anyone’s doing this. I’m saying the temptation and the access are both sitting right there.) A 30-day window assumes a level of control that the last several years of insider-threat reporting should make us skeptical of.

Underneath all of it is the oldest question in cyber defense: what is the federal government actually responsible for? The critical infrastructure everyone is anxious about sits in private hands. Data centers, hospitals, banks, the grid. The military is restricted from defending a private company’s network. The FBI takes your report and thanks you for the data. CISA runs real threat intelligence, coordinated disclosure, and binding directives across federal systems, but its authority to reach inside a private company and run the defense is narrow.

When Volt Typhoon pre-positioned in American infrastructure and Salt Typhoon went into the telecoms, they went after private companies, because that is where the front line is. (I came up through the military side. The distance between “protect the nation” and what you are actually permitted to do still bothers me.)

The government does have a role here, and it’s less about running the defense than about who gets to decide the rules. The order keeps the framework voluntary and explicitly avoids any licensing requirement, which is the right call for getting industry to participate at all. But it also leaves trusted-partner selection as a developer-and-government collaboration, and a vendor should not be in the position of choosing which organizations and which countries live inside the protected tier and which don’t. That is a determination with real geopolitical weight, and it should not rest on a company’s procurement team. Whether you welcome federal involvement or not, having the labs quietly pick winners is worse.

None of this gets solved by the order.

What the order does, at best, is document the threat and start the argument, and the real risk now is that “signed” gets read as “handled.” The work is what the community builds during the buffer. That is why Gadi Evron, Rich Mogull, and I, with Cloud Security Alliance, SANS, and [un]prompted are running closed-door CISO working sessions in DC, New York on June , and San Francisco: one hard question per session, the people in the fight writing the new playbooks before the vendors write them for us. All senior security leaders should apply to attend. The first session drew strong feedback by every account I’ve gotten back.

Read the Mythos-ready security program paper by the same coalition here.

The honest open question I don’t have an answer to: when the next frontier model ships, and the one after that, how does any of this scale? The list of who’s inside and who’s outside only gets longer. (And nobody has volunteered to hold the list.) Find out where your organization actually sits in that access structure. If you don’t know, that is the first thing worth doing this week.

Rob T. Lee is Chief AI Officer & Chief of Research, SANS Institute