AI Cybersecurity After the Executive Order: What's Next?
Congressional Internet Caucus Academy - Washington DC - June 12, 2026
VIDEO | AUDIO | RECAP EN / ES / FR | ARCHIVE | PERMALINK
Speakers: Kate Charlet - Senior Director for Privacy, Safety, and Security Policy, Google; Ari Schwartz - Managing Director of Cybersecurity Services and Policy, Venable LLP; Elizabeth Chernow - Associate Vice President, Public Policy, Comcast Corporation; Prem M. Trivedi - Director, New America’s Open Technology Institute
Moderator: Shane Tews - Nonresident Senior Fellow, American Enterprise Institute
The Congressional Internet Caucus Academy convened a discussion examining the rapidly evolving intersection of artificial intelligence and cybersecurity following the administration’s June 2 executive order on AI cybersecurity. Moderator Shane Tews opened by noting how quickly the landscape was shifting, observing that even discussions held only days earlier would already be outdated because of the pace of developments surrounding AI-driven cybersecurity threats and policy responses. She framed cybersecurity not simply as a technology-sector issue, but as a challenge affecting every institution and individual dependent on digital systems.
The panel focused heavily on the emergence of advanced frontier AI systems such as “Mythos,” discussing how these models are transforming both offensive cyber capabilities and defensive security operations. Tews also highlighted the growing complexity of cybersecurity policy itself, joking about the proliferation of acronyms and technical terminology that even seasoned cyber professionals struggle to track.
AI and the Transformation of Cyber Threats
Kate Charlet explained that AI-driven cyber threats have evolved steadily over several years, initially appearing in relatively simple forms such as AI-assisted phishing emails with improved grammar and personalization. More recently, however, AI systems have begun operating across the entire cyberattack lifecycle. Threat actors are now using AI to discover vulnerabilities, generate exploits, automate attacks, evade defenses in real time, and deploy increasingly autonomous malware. She noted that Google’s Threat Intelligence Group had recently observed the first instance of an AI system both identifying and exploiting a zero-day vulnerability.
Ari Schwartz emphasized how dramatically frontier AI models are accelerating vulnerability discovery. Drawing on discussions with companies participating in the “Project Glasswing” initiative, he explained that organizations that previously dealt with roughly 50 major exploits over a two-year period were suddenly facing as many as 40 serious vulnerabilities every day. He stressed that the vulnerabilities identified by systems like Mythos are immediately actionable because exploit code is generated simultaneously with the vulnerability discovery itself, eliminating the traditional delay between identifying a flaw and weaponizing it.
Prem Trivedi described the current moment as a reckoning with decades of accumulated cybersecurity “technical debt.” He argued that legacy systems, unpatched software, and outdated infrastructure have suddenly become highly exposed because advanced AI systems can industrialize the process of identifying and exploiting weaknesses at massive scale. He pointed to reports that AI-assisted scanning had surfaced more than 10,000 critical flaws in only a matter of weeks, dramatically shrinking the time defenders have available to respond.
Critical Infrastructure and the Defensive Response
Elizabeth Chernow described the implications for Comcast as one of the nation’s largest critical infrastructure operators. She explained that Comcast’s network supports more than 30 million customers and carries roughly half of all US broadband traffic, making cybersecurity central to the company’s operations. Comcast employs AI extensively in its defensive security architecture, using AI-driven tools to detect threats, secure customer networks, and harden infrastructure against attack. At the same time, she warned that frontier AI models significantly raise the stakes because attackers may soon gain capabilities that defenders cannot counter unless critical infrastructure operators receive early access to advanced security models themselves.
The panel repeatedly emphasized that AI is also creating powerful opportunities for defenders. Kate Charlet outlined how AI systems are already being used to identify vulnerabilities and assist with patch generation. She discussed Google tools such as “CodeMender,” which not only locate flaws but attempt to generate fixes automatically. Looking further ahead, she argued that AI could eventually be embedded throughout software development workflows so that insecure code is less likely to be written in the first place. AI-driven defensive systems may also continuously monitor enterprise environments, identify attack paths, and autonomously mitigate risks in real time.
However, panelists stressed that deploying AI defensively is neither easy nor inexpensive. Ari Schwartz warned that rewriting codebases, validating AI-generated patches, and retraining staff all require substantial investments in both human expertise and computational resources. He argued that many executives and investors misunderstand the economics of cybersecurity AI, assuming AI adoption will reduce staffing needs when, in reality, effective cybersecurity often requires more personnel working alongside more AI systems.
Elizabeth Chernow added that patching is far more complex than simply applying fixes. Security teams must validate patches carefully to ensure that fixing one vulnerability does not unintentionally break other systems or create new operational risks.
The Executive Order and AI Cybersecurity Clearinghouse
A major focus of the discussion was the administration’s executive order establishing an AI cybersecurity clearinghouse intended to coordinate vulnerability scanning, validation, patch distribution, and remediation efforts across government and critical infrastructure sectors. Tews framed the issue as a growing challenge for sectors ranging from healthcare and banking to telecommunications and utilities, particularly given ongoing concerns about the staffing and resources available to agencies such as CISA.
Ari Schwartz argued that the clearinghouse could become essential for organizations overwhelmed by the sheer scale of vulnerabilities generated by AI systems. He explained that companies accustomed to processing only a handful of patches each week are now confronting dozens across every major software dependency. He also criticized existing vulnerability scoring systems such as CVSS, arguing that they are poorly suited to an AI-driven environment where seemingly minor vulnerabilities can be chained together into severe exploits.
Prem Trivedi stressed that the clearinghouse must focus not only on sharing information about vulnerabilities, but also on remediation and coordination. He argued that institutional management challenges and human coordination failures may ultimately prove harder to solve than the technical vulnerabilities themselves.
Elizabeth Chernow discussed a Comcast-supported Aspen Digital paper advocating for a “responsible advanced access” framework for frontier AI cybersecurity models. She argued that decisions about which organizations receive early access to advanced AI capabilities should not be left solely to individual AI companies. Instead, she proposed a transparent, publicly accountable framework involving sector coordinating councils and critical infrastructure stakeholders to ensure defenders gain access before adversaries do.
Information Sharing, ISACs, and Public-Private Coordination
The panel also examined the future of public-private cybersecurity coordination mechanisms such as ISACs (Information Sharing and Analysis Centers). Tews provided historical context, explaining that ISACs originally emerged in the telecommunications sector following the breakup of AT&T and later expanded into industries such as hospitality, finance, and information technology.
Elizabeth Chernow highlighted the launch of the communications sector’s new C2 ISAC, which focuses specifically on cybersecurity threat sharing. She described it as an example of how industries are adapting public-private coordination models to the AI era.
Kate Charlet argued that AI-specific cybersecurity coordination should complement, rather than replace, sector-based ISACs because AI-enabled threats affect every critical infrastructure domain simultaneously.
Ari Schwartz noted that uncertainty remains regarding how the proposed AI ISAC from earlier executive actions will interact with the new clearinghouse model. He also referenced concerns within industry about whether cybersecurity coordination structures should remain industry-led rather than government-directed.
Prem Trivedi emphasized that strong liability protections and safe harbor provisions remain critical if companies are expected to share vulnerabilities and remediation information openly. He argued that institutions are understandably reluctant to expose themselves to legal or reputational risk by disclosing security failures without adequate protections.
Building on that point, Ari Schwartz urged Congress to reauthorize the Cybersecurity Information Sharing Act (CISA 2015), describing it as one of the single most important legislative steps lawmakers could take to preserve effective cybersecurity collaboration.
Open Source Security and Legislative Priorities
The panel discussed proposed legislation from Congressman Jay Obernolte related to AI cybersecurity. Ari Schwartz praised the bill’s emphasis on open-source software security, warning that open-source maintainers often lack the resources needed to respond quickly to AI-discovered vulnerabilities despite open-source software underpinning large portions of the global digital ecosystem.
Elizabeth Chernow noted that the legislation’s proposed early-access regime for open-source maintainers and federal agencies represented an important step forward, but reiterated that critical infrastructure operators also require early access to advanced AI cybersecurity tools.
Kate Charlet argued that defenders do not necessarily require the most advanced frontier AI systems to improve security substantially. Broader modernization efforts such as cloud adoption and software-as-a-service deployments can also help organizations benefit from AI-driven cybersecurity capabilities more quickly.
Privacy, Security, and Consumer Harm
The conversation expanded into privacy and data security policy. Elizabeth Chernow endorsed the need for a national privacy law, referencing the Secure Data Act.
Prem Trivedi strongly supported comprehensive federal privacy legislation, arguing that privacy and security are fundamentally interconnected. He emphasized that data cannot be stolen if it is never collected or retained unnecessarily, framing data minimization as a core cybersecurity principle as much as a privacy safeguard.
The panel also stressed that cybersecurity vulnerabilities increasingly translate into direct consumer harms, including fraud, scams, denial of services, and disruptions to essential infrastructure. Trivedi argued that policymakers must bridge traditional divides between national security and consumer protection frameworks when addressing AI-driven cyber threats.
Short-Term Turbulence and Long-Term Outlook
When asked whether the executive order and current policy efforts are sufficient, panelists agreed that the next 12 to 18 months are likely to be highly disruptive.
Kate Charlet said organizations are entering a difficult adjustment period but expressed optimism that AI-powered defensive tools could eventually help rebalance cybersecurity in favor of defenders.
Ari Schwartz was more blunt, describing the short-term outlook as “unfathomably bad” because of the scale and unpredictability of AI-enabled vulnerabilities. Nevertheless, he argued that AI-assisted secure coding and patching could eventually eliminate many common software vulnerabilities and fundamentally improve the long-term cybersecurity environment.
The panel concluded with a reminder that basic cybersecurity hygiene remains essential despite rapid advances in AI. Kate Charlet, Elizabeth Chernow, and Ari Schwartz all stressed the continuing importance of password management, software updates, secure-by-design practices, and multi-factor authentication as foundational defenses that remain highly effective against many common attacks.
RESOURCES
AI Cybersecurity After the Executive Order: What’s Next? — the Congressional Internet Caucus Academy event this recap covers
“Responsible Advanced Access for Frontier AI Models” (Aspen Digital) — Liz Chernow’s paper and the panel’s “summer reading” pick
“Anthropic’s Project Glasswing Is a Warning” (Shane Tews, AEI) — the moderator’s blog on Mythos and accumulated cybersecurity technical debt
Cybersecurity Information Sharing Act of 2015 — the safe-harbor law Ari Schwartz urged Congress to reauthorize long-term
Great American AI Act (Obernolte–Trahan discussion draft) — the bipartisan AI bill discussed, including its open-source and early-access provisions
Google AI Threat Defense (CodeMender, Big Sleep, Wiz) — the AI cyber-defense tools Kate Charlet described
Google’s 2029 post-quantum cryptography timeline — the quantum-migration blog Kate Charlet flagged as her off-topic reading
Common Vulnerability Scoring System (CVSS) — the vulnerability scoring system Ari Schwartz critiqued for chained vulnerabilities
National Vulnerability Database (NIST/MITRE) — the vulnerability repository referenced in the scoring discussion
Cybersecurity Coalition — the industry coalition Ari Schwartz serves as Executive Director