Researchers fault Trump AI EO on vulnerability management
A new clearinghouse does little for defenders if the real failure point is remediation speed at the network edge.
TL;DR
Security researchers told an IST webinar that President Trump’s June 2 artificial intelligence executive order relies on older vulnerability-management assumptions while exploit timelines compress from months or years to days, hours or minutes. The order tasks Treasury with a voluntary AI cybersecurity clearinghouse and directs the Cybersecurity and Infrastructure Security Agency to issue binding operational directives. The critique lands on a familiar asymmetry: attackers do not need a Common Vulnerabilities and Exposures record; defenders often do.
Inside Cybersecurity reports that security researchers are pressing on the practical gap in President Trump’s June 2 artificial intelligence executive order: it creates more coordination machinery for vulnerability scanning and patching, but the people doing vulnerability management are already losing on time. Katie Noble, Intel’s director of product security incident response and bug bounty and a former CISA vulnerability-management official, said the order reads as if it were built around “the ideals and understanding of five years ago.” Her sharper point was operational, not political: exploit development has moved from months or years to “days to minutes to hours,” while defensive processes still depend on intake, scoring, records and patch deployment.
That is the uncomfortable part of the story. The order tasks Treasury with leading a voluntary cybersecurity clearinghouse for frontier AI models and directs the Cybersecurity and Infrastructure Security Agency to issue binding operational directives and guidance to facilitate access to cybersecurity tools and services. Those are real federal levers. They also sound a lot like the kind of answer Washington already knows how to give: convene, prioritize, publish, coordinate. Noble compared the proposed clearinghouse to CISA’s Joint Cyber Defense Collaborative and sector-specific information sharing and analysis centers, saying she wants to see how the implementation plan differs from prior efforts.
Jason Kikta of Automox, a former U.S. Cyber Command public-private partnerships chief, put the problem more bluntly. He called Treasury’s lead role “perplexing,” then granted the practical possibility that Treasury might at least have funding. His bigger criticism was that funding coordination is not the same as funding capacity. A better patch list helps only if an organization can deploy the patch quickly enough to matter. For compliance and security teams, that is the Monday problem: the executive order may create a better federal routing layer, but the measurable test is whether time to remediate drops where systems are actually built and operated.
Published ·Deep Fathom