
Three weeks ago, the Five Eyes intelligence alliance issued a warning that unprecedented cybersecurity risks posed by frontier models would become acute in just a few months. Cybersecurity expert Bruce Schneier also called for frontier models to be used much more extensively for defense. Now it looks like the U.S. government has a reasonably swift response to the threat.
Dana Nickel reports for Politico that Gold Eagle, the AI cybersecurity clearinghouse mandated by the June 2 executive order, started its work yesterday. This is almost two weeks after the July 2 deadline, but according to officials, operations began internally on time.
Gold Eagle is intended to serve as a hub where all AI labs, federal agencies, critical infrastructure providers, and open-source maintainers can report software vulnerabilities they discover. Under the leadership of the Department of the Treasury, these vulnerabilities are then supposed to be triaged and patched as quickly as possible. According to government officials, frontier models such as Mythos will also assist in this process. Given that Mythos-class models exist, it makes sense to deploy them in a coordinated manner for defense.
But we can only gauge success after we’ve seen how the new institution actually operates. Gold Eagle’s predecessor drew criticism for its handling of computer security vulnerabilities: When the NSA found an exploit in Microsoft Windows, it was decided not to inform Microsoft, so the NSA could use it to gain access to external systems. The choice to keep Microsoft and the public unaware led to several billion dollars in damages after a malware program from North Korea and other ransomware also started using the exploit.
The NSA is also involved in Gold Eagle. If frontier models discover serious security vulnerabilities in software that is also being used by adversaries, can we be sure these will actually end up on the “to-fix” list and not in the arsenal instead? The executive order says nothing about this.
And, of course, a database of confirmed and prioritized software vulnerabilities in critical infrastructure is almost as juicy a target for hostile intelligence services as the weights of the frontier models themselves.
The analyses and opinions expressed on AI StopWatch reflect the views of the individual contributors and the sources they cover, and should not be taken as official positions of the Machine Intelligence Research Institute.


