Transcript: America’s Cybersecurity Crisis Starts With Software (W/Jen Easterly)

The United States faces a systemic cyber risk that originates far beyond the headline‑grabbing ransomware attacks. For decades, software has been treated as a credence good—buyers cannot easily assess its security, so vendors focus on rapid releases and low cost. This market failure has left critical infrastructure exposed, prompting CISA to launch the Secure‑by‑Design pledge, encouraging vendors to embed security testing into development cycles. Industry leaders, from J.P. Morgan to major cloud providers, are now signing on, while lawmakers debate a software‑liability regime that would hold manufacturers accountable much like auto‑makers are for defective vehicles. Such a regime could shift risk back to producers, incentivizing higher‑quality code and reducing the perpetual arms race with cyber‑criminals.

Frontier AI models are reshaping the defensive landscape. Anthropic’s Mythos and OpenAI’s GPT‑5.5‑Cyber demonstrate unprecedented ability to scan massive codebases, pinpointing vulnerabilities at a speed no human team can match. Their constrained roll‑out—limited to vetted cybersecurity firms and critical‑infrastructure operators—gives defenders a head start, allowing patches before adversaries can weaponize the same capabilities. As these tools mature, they promise to turn vulnerability discovery from a reactive chore into a proactive, automated process, dramatically lowering the cost and time required to harden software.

Policy is catching up with technology. The forthcoming executive order on AI and cybersecurity is expected to formalize voluntary industry safeguards, mandate risk assessments for high‑impact models, and encourage the development of standards through the AI Security Institute. Coupled with a potential software‑liability framework, these measures could create a virtuous cycle: higher‑quality software reduces breach incidents, which in turn lowers insurance premiums and regulatory scrutiny. For businesses, embracing Secure‑by‑Design practices and leveraging AI‑driven code analysis will become essential to stay compliant and protect their digital assets in an increasingly hostile cyber environment.