Zero Day Factory: How to Manage Risks from New AI-Driven Vulnerability Discovery Capabilities

Reports that new, advanced AI models are capable of finding unknown and potentially dangerous software vulnerabilities at record speeds have been a focus for cybersecurity professionals over the past several weeks. The gravity and novelty of the potential threat have now drawn attention from across industry and the U.S. government. The White House Office of the National Cyber Director, for example, is reportedly convening industry roundtables, and technical experts have begun to offer initial recommendations. AI-driven vulnerability discovery capabilities, if used by malicious actors, could make it dramatically easier and faster for even low-skill criminals (let alone nation-state hackers) to find and take advantage of vulnerabilities.

So what should companies be doing now? The capabilities described would appear to give the advantage to malicious cyber actors, because significant and previously unknown “zero day” vulnerabilities can be found and exploited in a matter of hours. These capabilities will present risks in the short term, but may lead to broader changes in how software is developed, used, and updated.

There are steps companies can take to protect themselves now, in the short term, and to set their teams up for success in the longer term.

• Assess potential changes to your vulnerability management process. Patching will need to shift from scheduled to dynamic. Getting faster at patching may include bringing on additional AI-based capabilities. The first step is to realistically assess and inventory your existing capabilities, whether in-house or through vendors. There may be capabilities that you already have, or have access to, that can help identify vulnerabilities or facilitate patching.
• Consider contractual updates. Many commercial contracts have language mandating that a party cooperate with the other party’s investigation of a cybersecurity incident – while Service Level Agreements often include a specific response time from the vendor. Companies should assess their critical supplier agreements to understand the time windows. Cooperation and support may need to come faster when an AI-driven threat is in play. You may also need to plan for situations in which your vendor becomes overwhelmed – how would your business operate if a core capability was unsafe to use or unavailable?
• Understand your reporting and notification obligations. In the event of a successful attack or intrusion from exploitation of vulnerabilities, there are a number of potential mandatory or discretionary reporting or notification obligations that may need to be met under tight time deadlines. Preparing materials that detail your existing requirements can save time and money in the event of an incident or data compromise.
• Reevaluate security of your most critical data. Given AI’s ability to enable attackers to more precisely identify valuable data, businesses might need to consider new ways to store, use, transmit, and protect that data. Adding additional encryption, access controls, or alerts to attempted access to critical data may be prudent.
• Conduct AI-enabled vulnerability assessments. It may be possible to bolster privilege claims for the results of reports or assessments by having counsel direct the assessments as part of addressing legitimate litigation and regulatory concerns with potential compromises. Organizations can identify and prioritize mitigation steps based on the results, in consultation with counsel.
• Use AI to defend against AI. There are tools and capabilities on the market that can help accelerate cyber defense, such as monitoring, identifying suspicious activity, and triaging events for analysts.
• Invest in training and education. There is an urgency for organizations to use new technology and reduce costs, and organizations may be moving to hire employees recently trained in new technology or be tempted to replace workers with technology. However, educating and training existing employees who have institutional knowledge is a wise part of any new technology adoption plan.
• Practice your incident response procedures under expected conditions. Even if an adversary is moving faster than your team has seen before, you will still need to execute the core tasks of containment and remediation, while meeting regulatory reporting obligations. Consider putting in place incident response retainers that can ensure a rapid response time by your preferred vendor. Being able to activate your response plan with appropriate decision-makers and experts will give you confidence in your readiness to respond to even the fastest attacks.

AI-driven vulnerability discovery capabilities are likely to have significant implications outside of security threats. Widespread availability of these capabilities may change the standard of care for software developers as well as network defenders. Companies that develop and ship software may consider running these AI-powered vulnerability identification tools against their own products. Companies that buy software may want to consider contract terms mandating use of automated capabilities to test for vulnerabilities.

Clear and well-tested governance processes remain an important part of adapting to these technological changes. Foundational cybersecurity practices such as network segmentation, identity and access controls, and, yes, patching, still work – but the way in which your organization prioritizes and manages those activities may need to evolve as threats and technologies continue to change.   

We have found, across numerous incidents and government investigations, that advance preparation can help smooth incident response, reduce costs, and reassure regulators and customers that a program was reasonably designed in response to evolving risk.