Podcast
The New AI Executive Order and the Race to Harden America’s Systems with Daniel Kroese
Season 3 Episode 24 •Show Notes
A new executive order on artificial intelligence and cybersecurity sends a clear signal: advanced AI now sits at the center of how the United States thinks about cyber defense, national security, critical infrastructure resilience, and strategic competition.
In this episode of Cyber Focus, Frank Cilluffo sits down with Daniel Kroese, Vice President of Global Policy at Palo Alto Networks and a Senior Fellow at the McCrary Institute, to unpack what the order means in practice. Kroese argues that the most important signal is the administration’s effort to bring government, industry, and critical infrastructure operators together quickly — not simply to study AI risk, but to operationalize AI-enabled defense while preserving the innovation advantage that gives the United States its head start.
Main Topics Covered
- The executive order’s “North Star” signal on AI innovation, cybersecurity, and national security
- Why AI and cybersecurity are increasingly inseparable
- How frontier models are transforming vulnerability discovery, software red teaming, and cyber defense
- The urgency of hardening systems before adversaries catch up
- Expanding AI-enabled cyber tools to under-resourced critical infrastructure operators
- The role of voluntary frameworks and the proposed AI cybersecurity clearinghouse
- Managing a surge in vulnerabilities while improving detection and response times
Key Quotes
“In three weeks, [Mythos] was able to conduct one to two years’ worth of red teaming on our own code base. We’re not talking 5 percent better, 10 percent better, 15 percent better. We’re talking about doing something in three weeks that would have taken us one, if not more, years previously. So that is an inflection point.” — Daniel Kroese
“We have a head start, but it is not an infinite head start.” — Daniel Kroese
“We also have to recognize that for your average electric utility or water treatment plant, if we were to give them Mythos or GPT-5.5 access tomorrow, due to the operational realities of how they are organized, they wouldn’t know what to do with it. So it’s not as simple as just flicking on access. It’s about how do we scale and democratize the Cyber defense benefits of these models.” — Daniel Kroese
“Detection response times must be measured in single-digit minutes, not days, weeks, or never.” — Daniel Kroese
“This isn’t about information sharing alone. It’s about operational collaboration.” — Daniel Kroese
Relevant Links and Resources
- White House Executive Order: Promoting Advanced Artificial Intelligence Innovation and Security
- Palo Alto Networks
Guest Bio
Daniel Kroese is Vice President of Global Policy at Palo Alto Networks, where he leads the company’s engagement with policymakers and government stakeholders. He previously served as Staff Director for Ranking Member John Katko on the House Homeland Security Committee and held senior cybersecurity roles at CISA and on Capitol Hill. He is also a Senior Fellow at the McCrary Institute.
Transcript
Daniel Kroese [00:00:00]: We’re not talking 5% better, 10% better, 15% better. We’re talking doing something in three weeks that would have taken us one, if not more years previously. So that is an inflection point.
Frank Cilluffo [00:00:13]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with Daniel Kroese, who is a repeat podcast guest. He’s here this week to talk about the executive order that was promulgated last week on artificial intelligence and both the innovation and security considerations. And couldn’t ask for a better guest than Daniel. He is a vice president at Palo Alto Networks for Global Policy. He is also a senior fellow with the McCrary Institute here. Prior to Palo Alto Networks, he served as staff director for John Katko, the ranking member of the House Homeland Security Committee, was also staff director of the subcommittee focused on cyber at the Homeland Security Committee for then Congressman John Ratcliffe, now CIA Director and also served at CISA. So couldn’t ask for a better guest, couldn’t ask for a more important topic, and couldn’t ask for a more timely set of issues.
Frank Cilluffo [00:01:18]: Daniel, thank you so much for joining us today.
Daniel Kroese [00:01:20]: Thanks, Frank. Great to be here. And thank you to the McCrary Institute for always being out there dissecting emergent important issues. Look forward to the conversation.
Frank Cilluffo [00:01:29]: Well, we’re trying. And you know, this was just promulgated last week by President Trump. And I think that few issues are dominating DC discussion more so than AI right now. And we’re not going to dissect the entire executive order, but to start with, what jumped out with you? If you had a headline, what is the headline of the executive order?
Daniel Kroese [00:01:53]: For me, it’s always the signaling and the North Star impact. There has been a ton of coverage about the inflection point the global cybersecurity community critical infrastructure faces as a result of advanced frontier models that can be leveraged by adversaries and defenders alike. And there’s been a lot of interest in the right balance of policymaking to get the innovation and security aspect correct. I think it’s always a big deal when the White House weighs in and says this is the policy of the United States of America. This is where we stand, this is the change that we are trying to bring stakeholders together to effectuate, and here’s how we plan to do it. So I think oftentimes we rightfully spend so much time going section by section and this is due after 30 days, and this is due after 90 days. I like to always start with that North Star, the signaling impact, and when I read the purpose, right, it is the policy of the United States to promote AI innovation and security and to work collaboratively with the private sector to modernize and harden systems. Amen. I want a bumper sticker that says that. Right? And that isn’t, those aren’t just words on the paper. That is the President of the United States of America saying, that is our policy. It’s going to take all of us coming together to move out.
Daniel Kroese [00:03:08]: But as a starting point, you talk about the power of advanced AI to transform the digital world we live in. The ability of defenders to harness it to be way faster and better at stopping threats. And then that tug of war between defenders and attackers who will also leverage it. This is a big moment, and big moments require leadership. And I think this executive order is a great example of leadership from the White House to bring focus, to galvanize activity, so we can all get off to the races together.
Frank Cilluffo [00:03:40]: Well said. And in all sincerity, I think AI is the most transformative technology we’ve seen in a long time in terms of both what it means for red, the attacker, and the initiative that it continues to enable and B, the defender. And we’ll get into unpacking some of that. And I might also note Palo Alto Networks is a partner in Glasswing and Mythos, and would love to get some of your thoughts on that as well. But before jumping into that, do you see this as an executive order on AI, cybersecurity, national security, or is it sort of all of the above, which is where I sit, but I don’t want to put words in your mouth.
Daniel Kroese [00:04:23]: I think, Frank, the answer is, of course, yes to all the above. It is increasingly difficult to separate what is an AI issue and what is a cybersecurity issue, because at the end of the day, they are just both different sides of the same coin, which is how we protect our digital way of life. And so it gets to the heart of, really, cybersecurity, at the end of the day, is a data problem. And AI can turbocharge the ability of defenders to make sense of that data and to triage that data in real time to separate the signal from the noise, to stay ahead of attackers. But it also can help attackers be faster, smarter, and more sophisticated about how they find those digital open doors and how they get in quicker, how they get your crown jewels in a faster manner, and how they can maximize disruption. So it’s the ultimate tug of war. AI and cyber, you can’t separate them. The conversation almost has to be together.
Frank Cilluffo [00:05:17]: And I do want to pull that thread in a second, but I think it’s also worth noting the Office of the National Cyber Director had been looking at this long before Mythos. But what has triggered the timing on this? Is it that we’re seeing advanced models or is it taking advantage of recognition for policymakers that are not just in our community focused on this, but they had been moving in this direction, I think thoughtfully for a while now.
Daniel Kroese [00:05:45]: Absolutely. And I think that’s a great point. Sort of walking back sequentially, last July, many of us were at the release of the administration’s AI Action Plan. And there are a lot of provisions in there that talk about the intersection of AI and cyber and a lot of these concepts about that tug of war, that the AI Action Plan calls for a secure by design approach to AI applications and technology, something that Palo Alto Networks supports. Then you fast forward to March of this year when Director Cairncross and team worked collaboratively to get the National Cyber Strategy out the door. Section 5 of the National Cyber Strategy is about securing the emerging technologies that are critical to the country like AI. And so this executive order in many ways is sort of a linear, it’s sequentially following what the White House has been doing. Right? It’s not just out of nowhere. However, there was an event, a precipitating event that put a huge spotlight on, even if this isn’t a new line of effort, why the importance of having White House attention and a bigger spotlight matters. And that obviously, it was the post Mythos moment when as these frontier models by the major frontier labs get more and more advanced, we at some point, and I think most people agree it was Mythos, although that’s not the only model. Now you have OpenAI’s ChatGPT 5.5. These models keep getting better.
Daniel Kroese [00:07:10]: But recognizing that we have reached a step function in terms of capability for these models to discover errors and bugs in software and vulnerabilities and to conduct logic and reasoning about how vulnerabilities might be exploited in a way that was not just incrementally better than previous models, but represented a step function. From the Palo Alto Networks perspective, we’ve been very public saying we think we’re in a three to five month window right now where we have to act. And so to your question about kind of why now? What was the precipitating event? I think when you’re in a three to five month window, when you agree we gotta act, as an American, as a citizen, I’m hardened to see action because that’s exactly what you want to see at the end of the day. In terms of quantifying this, like what does this actually mean? As one of the original participants in Glasswing, the first thing we did at Palo Alto Networks is we point Glasswing at our internal code base, which has products that span network security and cloud security and endpoint security and AI security and all of the above. It’s a large product suite, it’s a lot of code, and when we pointed Glasswing internally there, in three weeks it was able to conduct one to two years worth of red teaming on our own code base. So just to quantify, we’re not talking 5% better, 10% better, 15% better, we’re talking doing something in three weeks that would have taken us one, if not more years previously. So that is an inflection point in my mind.
Frank Cilluffo [00:08:39]: Yeah, that is a staggering example and clearly I think one of the storylines behind everything is everyone wanted access. Not everyone could necessarily absorb all of that information, but I was happy to see in the executive order rural hospitals and others who don’t necessarily have the same resources and capacity recognized. What does that mean from your perspective?
Daniel Kroese [00:09:10]: Yeah, it’s a great point. And I think you’re talking about the section of the EO upgrading American Systems for Advanced AI, which from a cyber company’s perspective is basically galvanizing efforts to harden systems in this three to five month window. And one of the provisions we were particularly encouraged to see in there was asking for a variety of US government entities to develop processes so a range of non federal stakeholders can benefit in a scalable and efficient way from some of the defensive capabilities that these advanced frontier models enable. And it is important, and we’ll get to those sections later on, about having frameworks for early preview access to some of these models. But we also have to recognize that for your average electric utility or water treatment plant, if we were to give them mythos or GPT-5.5 access tomorrow, due to the operational realities of how they are organized, they wouldn’t know what to do with it. So it’s not as simple as just flicking on access. It’s about how do we scale and democratize the cyber defense benefits of these models. And that’s where there’s a great American innovation story.
Daniel Kroese [00:10:21]: The cybersecurity industry in the United States, yes, Palo Alto Networks, but also a lot of our peers, we’ve invested considerable time and energy building sort of these managed service wrappers, these harnesses are the technical term that allow you to plug in advanced frontier models, but within a scalable red teaming tool that you can then test against these resource poor, target rich entities and help them prioritize the findings in a way that they’ll actually be able to act on it and buy down risk. Because that’s the goal. Three to five months, we got to act now and we got to be prioritized.
Frank Cilluffo [00:10:55]: Almost like a managed services.
Daniel Kroese [00:10:56]: Exactly.
Frank Cilluffo [00:10:58]: Right? And to me that is essential because, and I’m curious, the three to five months, how much does that have to do with a pacing peer in Beijing, or how much of that is more just the technology itself? Because I think we can’t take for granted that the United States will be out in front of this if we’re not investing and doing the hard work. Right?
Daniel Kroese [00:11:25]: Absolutely.
Frank Cilluffo [00:11:26]: And do you think China would have a press conference and handle this as responsibly as say, Anthropic did?
Daniel Kroese [00:11:31]: I do not.
Frank Cilluffo [00:11:32]: Yeah. Until we’re owned. Right?
Daniel Kroese [00:11:34]: Correct. And we have, I think objectively a head start, but it is not an infinite head start. And our models will get more advanced. But if the pacing threat in Beijing through a variety of means is a few steps behind, but it’s constantly playing catch up, then we may have Mythos version 3 and they figured out a way to gain similar capacity and capability to what is Mythos today in a few months. And so if, if the goal is to harden systems before adversaries can leverage advanced models with similar capability to what we have in the US today, that runway is not going to be infinite.
Frank Cilluffo [00:12:18]: Yeah, well said.
Daniel Kroese [00:12:18]: And there’s a variety of ways they may gain access to that level of capabilities, but I think we all have to assume it will happen even if we continue as a country.
Frank Cilluffo [00:12:26]: Exactly. And it’s a continuum. And you know, I almost wonder if it’s more about who operationalizes this AI quicker than it is about the sophistication of the frontier model. Any thoughts on that?
Daniel Kroese [00:12:43]: Yes, again, that was one of the reasons why I was really encouraged to see in that section on upgrading and hardening American AI systems, a direct call out to CISA and other partners to figure out ways to scale existing programs that deploy AI defensive capabilities to a variety of entities and potentially create new programs if they are needed. Because we talk about the tug of war and we talk about a lot of scary things. And I talked about how we did in three weeks what took us previously one to two years and how we do expect adversaries to gain access at some point to similar levels of capability. But we also know for a fact that AI turbocharges cyber defense in unbelievable ways. And so for example, across our 70,000 customer base, we have seen that before AI powered SOCs, it was two to three days to respond and contain a cyber incident, and now for most of our customers, with that tooling, it’s under 10 minutes. And so again, we talk about the step function that Mythos-level frontier models provide in terms of discovery of software bugs. But the other side of that coin is we have to talk about the step function increase that we already have at our fingertips today to use advanced AI defensive tools to allow organizations to better synthesize and stitch together their telemetry, separate signal from the noise and harden their systems.
Daniel Kroese [00:14:02]: So we have that. We should be damn proud as Americans that we have that at our fingertips today to the innovation of a wide range of companies. And I’m proud of the work Palo Alto Networks has done, and we’re of course not the only company. But the fact that the EO calls out specifically think about how we can get AI powered defensive tools and scale them across a wide range of stakeholders who will benefit, that will help us in that tug of war.
Frank Cilluffo [00:14:27]: And to me, how should policymakers think about speed as strategic advantage here? Because ultimately that’s what we’re talking about. And I think that your examples are very powerful in terms of Mythos and what you were able to identify. And most of our systems were built for a different time. And they’re going to have a hard time absorbing some of this, won’t they? I mean, this isn’t Patch Tuesday anymore. This is Patch, Patch five minutes ago, right?
Daniel Kroese [00:14:59]: Absolutely. And you know, if we’re only thinking about how we patch our way out of this, that’s probably not going to be enough of a layered, holistic way to think about cyber defense. But I do think the good news is we’ve been having a lot of the speed conversation. It didn’t just start with Mythos. Now we benefit from having the White House spotlight on this conversation, the galvanizing impact of an executive order like this. But we have been talking about for years how as attackers get faster and faster, that detection response times must be measured in single digit minutes, not days, weeks or never as they previously were. I like to think of those two, mean time to detect, mean time to respond as the cyber vital signs, if you will. They’re the easy metrics that even if you’re a non technical leader of an enterprise, you understand what those mean because they describe exactly what they are. And those should be what you are holding your technical folks feet to the fire against. And that should have been true before Mythos. It’s definitely true now. But the good news is I don’t think we are starting this conversation about speed from scratch. I think the stakes are a little bit higher. You could argue a lot a bit higher. And I think the spotlight is a lot brighter.
Daniel Kroese [00:16:06]: But we are not starting this conversation from scratch.
Frank Cilluffo [00:16:08]: And it is different than other technologies, right, that we’ve seen. I mean, there’s always sort of a red, blue sort of debate here, but, but this is different because it transcends everything.
Daniel Kroese [00:16:20]: Absolutely.
Frank Cilluffo [00:16:20]: And you know, one of the other storylines is whether or not there should be mandatory licensing and sharing of some of the models in advance. I think they ended up in a pretty good place. But I’d be curious what your thinking is there.
Daniel Kroese [00:16:39]: I agree. Finding that right balance between-
Frank Cilluffo [00:16:42]: Which isn’t easy, right?
Daniel Kroese [00:16:43]: Between innovation and safety, there is not some decimal place perfectly precise answer on that. It requires gathering a diverse and wide range of different perspectives across the stakeholder community and figuring out what is a reasonable place to start if we’re going to build a framework. And so I commend the administration and Director Cairncross and all those involved. It is never easy finding that sweet spot, that Goldilocks policy response, if you will, particularly when you have such a diverse set of perspectives on it. But where they ultimately landed in terms of a voluntary framework and up to 30 days for those participating in the framework to engage, that is a reasonable place to start considering that none of that existed a week ago.
Frank Cilluffo [00:17:27]: Exactly. And then the flip side is we also need to, I think we all recognize we can’t afford to lose this race, but at the same time, the security implications are so great. And that’s a tough balance too, just to figure out, I mean it really gets to the crux of economic competitiveness and national security, which are inextricably interwoven. But clearly we have defender issues that we need to ameliorate before these are available to everyone, right?
Daniel Kroese [00:18:03]: Absolutely. If we did not have a culture and an environment that allowed the relentless innovation, we probably wouldn’t have the three to five month head starter or whatever you think that is. Right? You might actually be tied or even. And so we have benefited from the fact that our innovative culture has allowed us, although we should be sober and open eyed about that, the lead is not massive, that we do have some lead that allows us to act with alacrity in this period. And so you want to preserve your ability to keep innovating because that innovation has actually put you in a position here where you’re not totally reactive, which is positive, while recognizing that there are a wide range of security and safety concerns, that it’s going to take sort of a whole society effort to wrestle those to ground.
Frank Cilluffo [00:18:53]: And nor should we take for granted that democracies will always be out in front. Autocracies can utilize technology and they don’t have the same headaches to deal with. And I don’t mean that in a pejorative way, but they’re not looking at all the, all the challenging questions a democratic society is looking at.
Daniel Kroese [00:19:12]: Yeah, I used to always joke back in my Hill days, but autocracies don’t really care about parliamentary procedure.
Frank Cilluffo [00:19:17]: Yeah, exactly, exactly. And I mean, that begs the next question. Looking out a little bit to the future, how do you see this all playing out? Because, I mean, it’s one thing to have an executive order, which I think is a huge feat, it’s another thing to implement and make sure that we’re operationalizing all of this, correct?
Daniel Kroese [00:19:39]: Absolutely. And I think we’re going to have to have some advanced conversations about what cyber risk management means as it relates to patching. We can do two things at once. We can be evolved in the way we think about patch management and the best way to sort of prioritize and rack and stack that, recognizing there’s going to be an anticipated increase in volume as software bugs are found that sat undetected for some case, 27, 30 years. So that is an important conversation. But we also have to recognize, to meet this moment from a security perspective, it’s not just about patching faster and faster. The security considerations have to be much more holistic than that. So one thing we have talked about as a company is this concept of virtual patching, where certain security appliances like firewalls that are adjacent to an unpatched box can actually provide compensating controls while that one waits to be patched, recognizing nothing is going to be instantaneous. So stuff like that, which provides risk reduction while the patching is ongoing with a layered zero trust approach. You’re going to have to fold all of that together because the rethinking of patch sequencing is an important conversation, but that will not be a silver bullet entirely for security.
Frank Cilluffo [00:20:52]: And you just can’t ingest so much. I mean, it’s practically very difficult. That’s a very innovative approach to getting to some of those challenges because I mean if you’re a utility, it’s kind of hard to take everything offline for a while, right?
Daniel Kroese [00:21:08]: Exactly. OT in particular, a lot of those have preset once annual, twice annual patch periods and you can’t snap your fingers.
Frank Cilluffo [00:21:15]: And while we’ve clearly turbocharged known exploited vulnerabilities, they’re also a whole, and they’re being bundled. So it’s not just one, it’s how you enable one to get to another. But you’re also coming up with a whole number of new zero day vulnerabilities here. Right? So it’s not just the blocking and tackling, it’s both simultaneously.
Daniel Kroese [00:21:41]: Correct. I do think that is one of the benefits as the hyperscaler Frontier Labs have thought through their preview early access programs and sort of steadily folded more folks into that, is when vendors are able to use that on their own own code bases, they will invariably find bugs and then have security advisories. But they’re doing so, they’re not zero days. Right? Because they haven’t been found by the adversary yet, they’re being found by the maker.
Frank Cilluffo [00:22:06]: So they’re, yes, yes, in advance.
Daniel Kroese [00:22:06]: And it’s so they can be released concurrent with patches and other mitigations before they’re being exploited in the wild. Obviously we want to get to a role where software is better and better and better, but a world where bugs are found by leveraging these models to point inwards versus having, finding out that an adversary was exploiting someone’s product. One position is a much better position to be in in terms of the hygiene of your code base.
Frank Cilluffo [00:22:30]: You know, this is an age old question in the cyber, I tend to believe the initiative remains with the attacker and first mover gains even more initiative, but looking out, do you think this benefits red or blue? Offense or defense or both?
Daniel Kroese [00:22:48]: It obviously benefits both. And the question is, who does it benefit more? Our job as a company on the digital front lines every day is to innovate like crazy, to chart out the path forward so defenders can benefit more. I talked about some compelling statistics that are real across existing complicated enterprises, going from two to three days to fully remediate a potential security incident to 10 minutes. Those aren’t made up numbers. That’s what we are seeing today. I think the reason we are seeing that isn’t because it’s not just magic. It is because at the end of the day, cybersecurity is a data problem.
Daniel Kroese [00:23:24]: And we’ve really seen a trend over the last five, seven years of investment in tooling that drives telemetry. So the thing happens, SolarWinds, everyone says, ah, you know what, we didn’t have enough visibility in the endpoint. We should create government directives to require the deployment of endpoint agents. That’s great. Ah, you know what, we were kind of blind in cloud environments. We need new cloud logging requirements. All of those were really well intended and ,in a vacuum, positive. But what did they do? They created more data layers coming into the same spot.
Daniel Kroese [00:23:53]: The SOC. And so one of the reasons that we are ultimately encouraged by the benefits for defenders is that we actually see a legacy bottleneck in the place all that data is coming into, all that telemetry is coming to the same overworked analysts who are playing alert, triage, playing whack a mole. So if we can right size that bottleneck, we’re not talking incremental gains, we’re talking going from two to three days to 10 minutes. Obviously the attackers are also getting faster. That’s a really compelling opportunity.
Frank Cilluffo [00:24:22]: Yeah, I love that approach. And not to get philosophical, but I’ve argued we tend to look through rear view mirrors. We basically have let the adversary, we’ve ceded our strategy to the adversary, because they do something, we defend against exactly what we just saw. We have a chance to get out in front of this if we do it right. And I think technology is essential to all of that.
Daniel Kroese [00:24:47]: Leaders must demand speed.
Frank Cilluffo [00:24:50]: And speed is, is, is of the essence. One of the things that the executive order called for and proposed that I think is really important is a clearinghouse. What problem is that trying to address in your eyes?
Daniel Kroese [00:25:03]: A little bit of what the tension we were highlighting earlier about recognizing that with the deluge of CVEs that we anticipate from well intended organizations doing the right thing and leveraging advanced frontier models to improve their code base, they’re going to find bugs that no one knew existed for sometimes up to decades. So you’re going to have this big deluge of CVEs coming, which fortunately for the most part are not going to be zero days, never before discovered that are being actively exploited. They’re going to be vendor discovered software bugs that they’re going to release concurrent with patches and mitigations. However, the volume of that is going to be so overwhelming that I think some of the concern is that you’re actually going to have adversaries weaponize those patches into proofs of concept before you reach a critical mass in patching. And so, and perhaps that even may be, that dynamic may be even more on display, perhaps across a lot of the open source community. The resourcing for the open source maintainers certainly varies across the industry. And so the idea of the clearinghouse is again, it is a voluntary provision in the EO, but saying, well, could there be some coalition of the willing that comes together and we think about, as you think about that sequencing of vendor gets access to a frontier model for a virtuous purpose, improve the code base. It finds vulnerabilities that it needs to publicly disclose. What is sort of the sequencing and staggering so that that whole responsible disclosure process and the ability of the end users to sort of ingest those security advisories and act upon them, that the alignment there makes sense for the community and ultimately doesn’t introduce more risk into the ecosystem. So I think that is the intent behind the provision there.
Daniel Kroese [00:26:57]: And you know, they want a wide range of stakeholders to participate. Again, it is voluntary. It is very clear. They’re not looking to sort of force vendors to completely turn upside down existing responsible disclosure practices, but provide a convening mechanism so that these conversations can take place in a protected manner.
Frank Cilluffo [00:27:12]: And ingest them before they’re, so we don’t want to put a big kick me sign out there either. Right? For known vulnerabilities, we have the opportunity to ameliorate the risk before it’s widely known. Is that correct?
Daniel Kroese [00:27:30]: Yeah, I think that dynamic is the impetus behind a voluntary concept like this is in this post Mythos world, with the volume we anticipate, if we only rely on sort of existing practices, is that going to advertise too much to the adversary? And these are complicated dynamics. You need to have a protected forum.
Frank Cilluffo [00:27:51]: And transparency security, innovation security, all these are the, these are like big pressing issues that are coming to the fore right now.
Daniel Kroese [00:27:59]: Absolutely.
Frank Cilluffo [00:28:00]: You know, the KEV list has what, like 1500, the known exploited vulnerability list managed by CISA, 1500 on that list. What number would you put that at today in a post Mythos world?
Daniel Kroese [00:28:16]: I think you’re going to see-
Frank Cilluffo [00:28:17]: It’s going to quadruple?
Daniel Kroese [00:28:18]: A rapid increase there. And yeah, sure, that’s-
Frank Cilluffo [00:28:22]: I don’t know, that’s a ballpark guess.
Daniel Kroese [00:28:24]: But it’s going to go up a lot. And I think recognizing that this is an important time for conversations around sort of how do you prioritize. We have an existing scheme to prioritize vulnerabilities, the CVSS scheme that has critical and high and moderate and so forth. And so I do think that there’s a reality that not every KEV vulnerability-
Frank Cilluffo [00:28:48]: Is equal.
Daniel Kroese [00:28:49]: Yeah, they’re not all equal to another in terms of, we should obviously never celebrate software bugs. We should strive to have better software. But exploitation of one of those vulnerabilities may cause a minor nuisance for a user, but not create the risk of a major security incident, while the exploitation of another may allow some sort of route or privilege access and all sorts of lateral movement. And so the CVSS scoring mechanism I believe is an attempt to take that into account. And so I think you’re probably going to even see more attention paid to the racking and stacking there in terms of, if the goal is to recognize this window we’re in where we have to act, appreciating the EO is putting a spotlight on that, then you have to be prioritized and strategic how you buy down risk in that period. It’s not just an easy button.
Frank Cilluffo [00:29:39]: It’s not just business as usual either, right?
Daniel Kroese [00:29:41]: Sure, yeah.
Frank Cilluffo [00:29:42]: You know, the executive order also prioritizes or asks, focuses on DOJ, prioritizing crimes where AI is used. Do you think our laws are up to pace? You worked on the Hill for a long time and obviously this isn’t just about laws, but I was happy to see that because it’s not just the national security nation state risks, but also ransomware operators, gangs and other criminal enterprises. What do you think that indicates, if anything?
Daniel Kroese [00:30:17]: Well, as an analog here, and you can tell me if you like it or not, but I think deterrence matters and I think in the cybersecurity world, not to oversimplify it, but it’s a combination of defense and deterrence and you need both of those.
Frank Cilluffo [00:30:32]: Impose cost and consequence and bad behavior. Right?
Daniel Kroese [00:30:34]: That’s right. And we spent a lot of the conversation here talking about hardening systems, which absolutely needs to happen. We need to meet this moment and this window we’re in, but the ability to do so in a more impactful way is only helped if we have a deterrent impact. And I think in a way that CISA can’t, DOJ has tools in the deterrence department.
Frank Cilluffo [00:30:57]: You know, a couple of very quick questions. Most important provision in the executive order.
Daniel Kroese [00:31:04]: I think it’s that, and you may find this to be an interesting answer, the purpose statement, I go back to that North Star signaling impact, and again, I probably need a little bit of a small font if I’m going to fit this on a bumper sticker, but it is the policy of the US to promote AI innovation and security and to work collaboratively with the private sector to modernize and harden systems. I would dare anyone to find someone who disagrees with that. Obviously, the devil’s in the details how you use that galvanizing force to then effectuate change and drive measurable risk reduction. Of course, the work begins now, but I think just circling the wagons with that is really helpful.
Daniel Kroese [00:31:47]: And we should not underestimate the impact that we have the White House and the President of the United States saying that is our position. Ready, go.
Frank Cilluffo [00:31:54]: Well said. Most misunderstood provision.
Daniel Kroese [00:31:59]: Well, there’s obviously been a lot of chatter about kind of the Goldilocks element here of safety.
Frank Cilluffo [00:32:06]: And there’s no right or wrong to all of this. Right? I mean, I believe it’s good that you have debate within the interagency.
Daniel Kroese [00:32:14]: But I think a lot of the key provisions in here that required a balancing act, whether it was the Clearinghouse or the framework for covered frontier models, the word voluntary is a key word in all those sentences. And recognizing that effectuating the national level risk reduction we want is going to require so many stakeholders at the table working really earnestly, sleeves rolled up on condensed timelines. I think there’s value to reinforcing and triple underlining the partnership element of it. And you’re gonna do that probably most effectively through these voluntary structures.
Frank Cilluffo [00:32:51]: And I’ve got to use that as my PSA. This isn’t about information sharing alone. It’s about operational collaboration, and the public private partnership as we know it is changing. And we’ve got to make sure we, we put gas in the tank to make that happen. Two final quick questions. One thing Congress should focus on, if anything?
Daniel Kroese [00:33:13]: I think having a fully operational and resourced CISA is important going forward. Absolutely. As a proud alum of the agency, want to see it be successful. And I talked about a lot of the provisions earlier that point to CISA to leverage, to scale, to grow, to establish programs, to fully spread the power of AI cyber defense to a wide range of entities that otherwise might not benefit from it. So let’s make sure we give it what it needs to do there. And then there’s a section in the EO that calls about looking at sort of existing grant programs and how those similarly can democratize a lot of the cyber defense benefits to state and local governments and the like. And so, you know, Congress, there’s a healthy debate going on right now about the best way to extend and continue and to reinvest in the state and local cybersecurity grant program. As a company, we do a lot of work with state and local entities across the country.
Daniel Kroese [00:34:10]: They’re often on the front lines. They need resources. So let’s think about the smart way to ensure that we have those programs going forward.
Frank Cilluffo [00:34:17]: You know we’re huge proponents of SLCGP. Last question. One thing every CEO should take away from the executive order and anything the CISO should do today, tomorrow, or not too many days after that.
Daniel Kroese [00:34:32]: To hardened systems, there is no singular silver bullet, but you need to understand in a measurable way how your current apparatus is set up to detect and respond to cyber incidents. This was true before Mythos, and Mythos has been a galvanizing inflection point. But in some ways, we can’t let the significance of that demarcation line distract us from the fact that we have been marshaling an effort to drive measurable improvements in cyber outcomes, meantime to detect, meantime to respond, for many years now. And if you’re a CEO, if you’re the person sitting in the big chair responsible for the overarching risk management posture of your enterprise, understanding what you were doing to drive those numbers from weeks, days, to single digit minutes, it mattered six months ago, it mattered three months ago, and it matters today. So in some ways, eye on the prize.
Frank Cilluffo [00:35:24]: Consistent.
Daniel Kroese [00:35:25]: Maybe just pressing the gas a little bit.
Frank Cilluffo [00:35:27]: Well, well said. Any questions I didn’t ask that I should have?
Daniel Kroese [00:35:30]: I think you covered the full waterfront.
Frank Cilluffo [00:35:32]: Daniel, thank you so much for joining us today. Thank you for consistently fighting the good fight, and we’ll have you on again soon. Thank you.
Daniel Kroese [00:35:40]: Thanks, Frank. Appreciate it.
Frank Cilluffo [00:35:40]: Thanks, Daniel. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.
