2026-05-01 17:04:05 UTC / 路透社
独家:消息人士称,美国官员考虑缩短漏洞修复期限以应对人工智能驱动的黑客攻击
作者:拉斐尔·萨特
2026年5月1日 下午5:04 UTC,更新于2小时前
节点运行失败
2023年6月23日拍摄的资料图显示,人工智能(AI)字样被放置在电脑主板上。路透社/达多·鲁维奇/示意图/档案图片 购买授权,打开新标签页
- 摘要
- 消息人士称,美国网络安全与基础设施安全局(CISA)提议将政府漏洞修复期限从三周缩短至三天
- 这一建议提出之际,Anthropic的Mythos等人工智能模型正大幅提升黑客利用漏洞的能力
- 专家警告称,缩短修复期限的举措可能会面临资源和准备不足的问题
华盛顿5月1日路透电——据知情人士透露,美国网络安全官员正在考虑大幅缩短政府IT系统重大漏洞的修复期限,原因是担忧黑客可能利用Anthropic的Mythos等人工智能工具发动攻击。
此前未被报道过的这项提议,将把针对正在被主动利用的漏洞的平均响应期限从两三周大幅缩短至三天,上述人士表示。
立即订阅《每日案卷》(The Daily Docket)新闻简报,将最新法律新闻直接发送至您的收件箱,开启您的晨间资讯。点击此处注册。
广告 · 继续向下滚动
近几周来,外界对Mythos和OpenAI的GPT-5.4-Cyber等人工智能模型的能力及其扩散的焦虑与日俱增。尽管黑客至少自2023年起就开始部署人工智能技术,但据称这些新型模型能够轻松识别此前未被发现的漏洞,或利用刚披露的漏洞开展复杂的黑客行动。此前黑客可能需要数月、数周或数天才能利用软件漏洞,但在至少部分案例中,这一时间框架已被压缩至数小时。
曾协助CISA编制漏洞目录的网络安全公司Bitsight创始人斯蒂芬·博耶表示,这一变化反过来给防御方带来了全速应对的压力。
“如果要保护民用机构,就必须加快行动速度,”博耶说,“我们的可用窗口已不像过去那么长了。”
两位知情人士透露,代理网络安全与基础设施安全局局长尼克·安德森和美国国家网络总监肖恩·凯恩斯正在讨论这项期限调整提议。路透社无法确认此事是否已作出最终决定,也无法得知预计何时会有结果。CISA和国家网络总监办公室未立即置评。
多年来,CISA一直在编制已知且被利用的漏洞(KEV)目录,这类漏洞被列为优先处理对象,因为它们已公开并正被犯罪分子或间谍主动滥用。据网络安全研究员格伦·索普透露,CISA通常会给民用机构三周期限,在漏洞被加入该数据库后完成修复,但最近这一期限已缩短至约两周。为应对特别严重的问题,期限偶尔会被压缩,但新提议将把默认修复期限直接降至仅三天,上述消息人士表示。
CISA的此番讨论正值企业领袖和数字安全行业努力应对更先进人工智能模型发布带来的影响之际。银行业尤其陷入混乱,监管机构正竞相摸清这项新技术的危险性。
曾在前总统乔·拜登政府期间担任CISA副局长的尼廷·纳塔拉詹表示,CISA收紧修复期限的做法可能会成为州和地方政府、企业及其他组织的范本。
“这向其他方传递了一个信号:‘嘿,你们需要加快行动速度’,”他说。
现任网络咨询公司NN Global负责人的纳塔拉詹表示,鉴于人工智能驱动的威胁演变速度极快,缩短修复期限是合理的。但他警告称,在唐纳德·特朗普总统任期内因大规模裁员和政府停摆而元气大伤的CISA,需要具备足够能力来应对更短期限带来的压力。
“我们看到他们的资源——包括资金和专业人才——都有所减少,”纳塔拉詹说。
威胁情报公司Flashpoint副总裁凯西娅·霍伊特警告称,修复软件漏洞是一个复杂过程,部署前需要进行详细测试。“现实地说,对于某些环境来说,三天期限根本不可能完成,”她说。
马里兰州亨特雷斯公司高级首席安全研究员约翰·哈蒙德表示,将修复期限降至三天将是“相当大的变革”。尽管他对加快办事速度持谨慎乐观态度,但“只有时间能证明行业能否跟上节奏”。
拉斐尔·萨特报道;千住野山编辑
我们的报道准则:路透社信托原则,打开新标签页
Exclusive: US officials weigh cutting deadlines to fix digital flaws amid worries over AI-powered hacking, sources say
2026-05-01 17:04:05 UTC / Reuters
Exclusive: US officials weigh cutting deadlines to fix digital flaws amid worries over AI-powered hacking, sources say
By Raphael Satter
May 1, 2026 5:04 PM UTC Updated 2 hours ago
节点运行失败
AI (Artificial Intelligence) letters are placed on computer motherboard in this illustration taken, June 23, 2023. REUTERS/Dado Ruvic/Illustration/File Photo Purchase Licensing Rights, opens new tab
- Summary
- CISA proposal would cut government bug fixing deadlines from 3 weeks to 3 days, sources say
- Suggestion comes as AI models like Anthropic’s Mythos boost hackers’ ability to exploit flaws
- Experts caution that moves to tighten deadlines may run up against resource and readiness issues
WASHINGTON, May 1 (Reuters) – U.S. cybersecurity officials are considering sharply shorter deadlines for fixing critical flaws in government IT systems, amid concerns hackers could exploit them using artificial‑intelligence tools such as Anthropic’s Mythos, people familiar with the matter said.
The move, which has not been previously reported, would slash the deadline for responding to actively exploited vulnerabilities from an average of two or three weeks to three days, the people said.
Jumpstart your morning with the latest legal news delivered straight to your inbox from The Daily Docket newsletter. Sign up here.
Advertisement · Scroll to continue
Anxiety over the power and proliferation of AI models like Mythos and OpenAI’s GPT‑5.4‑Cyber has been building for weeks. Although hackers have been deploying AI since at least 2023, these newer models are said to be able to easily identify previously unknown vulnerabilities or seize on freshly disclosed ones to enable complex hacking operations. So while it previously might have taken hackers several months, weeks, or days to take advantage of software flaws, that timeframe has been compressed, in at least some cases, to a matter of hours.
That in turn is putting pressure on defenders to kick into high gear, said Stephen Boyer, the founder of cybersecurity company Bitsight, which has previously helped CISA catalogue vulnerabilities.
Advertisement · Scroll to continue
“If you’re going to protect civil agencies, you’re going to have to move faster,” Boyer said. “We don’t have as much of a window as we used to have.”
The two sources familiar with the matter said the deadline proposals were being discussed by Nick Andersen, the acting chief of the Cybersecurity and Infrastructure Security Agency, and Sean Cairncross, the U.S. national cyber director. Reuters could not establish whether a final decision on the matter has been made or when one could be expected. CISA and the Office of the National Cyber Director did not immediately offer comment.
CISA has for years curated a catalogue of known-and-exploited vulnerabilities, or KEVs, which are seen as priorities because they are out in the open and actively being abused by criminals or spies. CISA has typically given civilian agencies a three-week deadline to fix such flaws once they are added to the database, according to cybersecurity researcher Glenn Thorpe, although that has recently dropped to around two weeks. Deadlines are occasionally compressed to deal with particularly serious problems, but the new proposal would see the default cut down to just three days, the sources said.
The discussions at CISA come as business leaders and the digital security industry grapple with the fallout from the release of more advanced AI models. The banking industry, in particular, has been sent scrambling as regulators race to get a handle on how dangerous the new technology is.
Tightening deadlines at CISA will likely serve as a model for state and local governments as well as businesses and other groups, said Nitin Natarajan, who served as the deputy director of CISA under former President Joe Biden.
“This is a signal to others that says, ‘Hey you need to do this more quickly,’” he said.
Natarajan, who now runs the cyber consultancy NN Global, said speeding up the deadlines made sense given how quickly AI-powered threats were evolving. But he warned that CISA – which has been depleted by deep job cuts and buffeted by government shutdowns under President Donald Trump – needed the capacity to handle the strain of tighter deadlines.
“We’ve seen a reduction in their resources, both in funding and expertise,” Natarajan said.
Kecia Hoyt, a vice president at the threat intelligence firm Flashpoint, warned that patching software flaws could be a complicated process involving detailed tests ahead of deployment. “Realistically, three days is simply impossible for some environments,” she said.
John Hammond, the senior principal security researcher at Maryland-based Huntress, said dropping deadlines to three days would be “quite a change.” While he said he was cautiously optimistic about running things faster, “only time will tell how well the industry keeps up.”
Reporting by Raphael Satter; Editing by Chizu Nomiyama
Our Standards: The Thomson Reuters Trust Principles., opens new tab
发表回复