His testimony came during a House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing, portions of which centered on frontier AI models such as Anthropic’s Mythos and the speed at which they can find and potentially exploit software vulnerabilities.
Cable told lawmakers that the secure-by-design approach to software CISA, the FBI, the National Security Agency and others called for three years ago is more important than ever and that the sheer volume of vulnerabilities being found has outstripped technologists’ capabilities to patch or otherwise resolve them.
“The central challenge is not that AI creates new categories of vulnerabilities. It’s that AI dramatically increases the speed and scale at which vulnerabilities can be introduced, found and exploited,” Cable said in his opening statement.
“These models aren't just hype,” he said during testimony. “They are truly starting to rival or exceed humans on security tasks and do so at an unprecedented scale. We won't be able to patch our way out of this.”
The CEO and co-founder of Corridor, an AI security company, Cable’s time as a CISA senior technical adviser commenced shortly before the 2023 release of the secure-by-design guidance, according to LinkedIn. Secure-by-design promotes, generally, the idea of building security into software from the start and reducing common flaws that attackers repeatedly exploit.
Rather than relying solely on traditional patching cycles, Cable urged policymakers to focus on secure-by-design practices, memory-safe programming languages and AI-assisted code modernization, to reduce vulnerabilities before they reach production systems.
“Our response must shift from patching individual bugs to preventing entire classes of vulnerabilities at the source,” Cable said.
Sandra Joyce, vice president of Google Threat Intelligence, agreed with Cable during her testimony.
AI can be used to harden software and enhance cybersecurity tools, Joyce said, but threat actors are operating at “unprecedented speed to take advantage of slow patch cycles, beleaguered security teams and human response time.”
Information sharing and collaboration between the public and private sectors are key to organizing against people using AI for cyber crime or infrastructure interference, Chris Meserole, executive director of the Frontier Model Forum, said. His nonprofit has been working with large software firms to establish channels for sharing information. The new AI models, Meserole said, are not unexpected.
“The ability of today’s models to autonomously identify and exploit vulnerabilities is clearly in line with empirical forecasts from over a year ago,” he said in testimony. “I say this not to downplay those capabilities, but to underscore that they should not have come as a surprise. If the most recent models caught us off guard, that should serve as a wake-up call to strengthen our public-private partnerships and information-sharing channels.”
The U.S., Meserole said, needs to “develop much closer and more tightly knit information-sharing mechanisms, and public-private partnerships to ensure that the policy community and others are getting the information they need, and understanding it ahead of the moment as opposed to in response to it.”
