From cyber commands to state technology offices, government cyber leaders describe a changing environment that is increasingly defined by constant threats and shrinking response times. At the same time, AI is also giving defenders new tools to combine with traditional cybersecurity best practices. In short, AI is helping to automate both cyber attacks as well as cyber defense efforts.
The usual pressures facing government technology, meanwhile, remain unchanged, including limited resources, complex systems and the size of attack surfaces. With AI in play, those long-standing challenges now translate far more quickly into dangerous risks.
“AI is the biggest disruptor we’ve seen in a very long time,” says Missouri CISO Shawn Ivy, a veteran of the public sector with more than 30 years of experience. “We’re seeing the reports of how fast a vulnerability can be exploited, and it has gone from weeks, days, months — now we’re down to minutes.”
AI-fueled cyber attacks have already spiked the number of threats facing Missouri and other states. Ivy says his state faced 22 billion perimeter requests during a recent month, the highest volume within such a time frame.
“And I have no doubt that is partly because AI is being used,” he says.
HOW AI ADVANCEMENTS FUEL CYBER THREATS TO GOVERNMENT
Omer Dembinsky, data research group manager for Check Point Software Technologies, a cybersecurity company with public-sector clients, focuses on analyzing broad cybersecurity trends rather than individual attacks. He and his colleagues examine patterns in the volume and types of threats across global networks as well as how criminals are using AI.
Dembinsky says criminals are now using agents to scan the Internet for live hosts, exposed services, unsupported software and configuration weaknesses. They are also using AI to create dossiers on potential victims and to pinpoint high-value targets. While phishing and ransomware remain the mode of choice for attackers, they are also getting faster. Cyber gangs can now increase the speed at which they deploy convincing email campaigns, register spoof websites and build out their own infrastructures.
“In many ways, these groups operate like tech companies with recruiters, internal communications and research and development — except their products are designed to harm rather than help,” Dembinsky says.
The threat landscape had grown larger even before the recent acceleration in AI technologies, because of hybrid work, distributed devices, cloud adoption and third-party software, among other factors. When computers are used for everything, there are just more potential entry points for cyber criminals. It's a stark contrast from decades past, when perimeter threats were the norm. AI has now broadened the attack surface again, with the introduction of chatbots, AI-assisted coding tools and unauthorized AI use, which can lead to security gaps, data leaks or prompt manipulation.
“Everything’s connected to the Internet — your doorbell, your Alexa, your TV, so we’ve got an expanding attack surface that can be targeted by people anywhere in the world at any time of day or night,” says Michael Geraghty, state CISO and director of the New Jersey Cybersecurity and Communications Integrations Cell. “That attack surface? Gigantic.”
And so public-sector cybersecurity leaders are feeling more strained than ever. In fact, a recent biennial cyber report from the National Association of Chief Information Officers found that the number of CISOs who said they were “very” or “extremely” confident in their ability to protect data dropped from 48 percent in 2022 to 22 percent in 2026. The reasons range from budget constraints and reduced federal support to heavier workloads. Many also balance more collaboration demands alongside ongoing modernization efforts.
This shows up across agencies, says Aaron Rose, who like Dembinsky is part of Check Point. Rose is a security architect manager who works with federal and public-sector clients, and he says smaller public-sector organizations are often high-value targets without the resources to match. That imbalance can have lasting consequences. In sectors like K-12 education or local government, a breach can expose deeply personal data — and once it’s out, it cannot be fully recovered.
The tactics have evolved, but the underlying crime hasn’t. It just hits faster and can reach farther than ever before.
USING AI TO DEFEND AGAINST CYBER ATTACKS
Missouri CISO Ivy remembers a time when cybersecurity was a nine-to-five job with on-call work.
Today, however, threat monitoring is a 24-hour operation, handling multiple lanes while using next-generation endpoint protections. Attackers don’t sleep, and with AI tools in play, large cyber assaults can now unfold in minutes.
A report from Booz Allen Hamilton found earlier this year that cyber criminals are moving from initial access to broader system compromise in fewer than 30 minutes with the help of AI. Frontier AI models — including Anthropic’s Mythos, which made national headlines this spring for its potential to supercharge cybersecurity threats — also enable small groups to carry out campaigns that used to require larger, coordinated efforts. AI-assisted scanning has compressed the window between finding weaknesses and exploiting them, forcing agencies to monitor systems more continuously than in the past.
“The rate at which vulnerabilities are exploited is getting smaller and smaller, so we’ve actually moved to real-time scanning of our devices,” Kansas Chief IT Officer Jeff Maxon says. “If we just focused on once-a-month scanning, we would be exposed to a lot more vulnerabilities.”
And they can use AI, in part, to do that. In large organizations that monitor multiple agencies, AI can correlate activity across systems and identify anomalies quickly. Missouri’s cybersecurity office works with 17 agencies and ingests roughly 3.5 terabytes of cybersecurity logs daily, making it impossible for one human analyst to review everything. Humans see events, but AI sees patterns in real time, Ivy says.
A recent report from Cloud Security Alliance (CSA), The 'AI Vulnerability Storm,' advises leaders to expect more incidents and prepare with a combination of traditional and AI-enhanced security. The authors encourage using large language models for vulnerability discovery, updating risk metrics to reflect new challenges. They also recommend adopting coding agents to accelerate security operations.
‘Everything Old Is New Again’
Traditional security measures remain as relevant as ever, too. As AI increases the volume and power of threats, it’s important for defenders to stay vigilant with long-standing cybersecurity best practices. These include patch management, identity and access management, network segmentation, and guidance from leading defense organizations, including the National Institute of Standards and Technology, the federal government’s Cybersecurity and Infrastructure Security Agency, or sector-specific advising bodies.
Patching is a must, says New Jersey CISO Geraghty, and it always has been. The vulnerability management timeline, however, has changed drastically, and AI platforms are revealing layers of vulnerabilities, some dating back more than two decades. Geraghty says that even with patch cycles being a regular part of cybersecurity, they depend on prioritization and manpower. Also, missed updates are not uncommon for any organization.
Ignoring updates has always created problems for cybersecurity, and it’s more pressing these days as cyber criminals can now scan environments at AI speed with a mind to attack immediately upon finding a gap.
“Fundamentals come into play, whether it’s an AI supercharged attacker or just regular abuse,” Geraghty says. “Making sure you’re patching the system, making sure you have strong password management and multifactor authentication, making sure you’re not exposing risky services, making sure your cloud configuration is on lockdown. All the good cyber hygiene comes into play.”
Or, in brief, Geraghty says, “Everything old is new again.”
Take for example compromised credentials. This is a tactic dating back decades, and it remains one of the primary ways attackers gain access to systems. It’s at the heart of phishing attacks, wherein a staffer might get an email that looks legitimate, requesting they share their login credentials. The way to combat this is by training members of organizations to spot and report phishing emails, teaching them to change their behaviors.
“We knew about this back in 1987, and we keep saying we need to do it,” Geraghty says. “It takes a long, long time for people to actually change their behavior. But we have to do that, and AI is going to force us to accelerate changing those behaviors.”
