Executive Summary
America’s digital borders are under attack. Thousands of attacks are carried out daily on Americans and American businesses, and it is estimated that cybercrime cost the US $452.3 billion in 2024 alone. It is not just money that is stolen, but trade secrets and critical national security information as well.
AI is likely to favor offense unless we change course. America is underinvesting in defensive cyber capabilities, meaning that cyberoffense is likely to dominate in the short term. However, many factors affecting this balance are malleable. Decisions made by AI developers and by Congress can shift this balance towards security if defense and safety are prioritized.
In light of the risks, Congress should:
- Improve Evaluations of AI’s Cyber Capabilities. Current AI cybersecurity evaluations are not rigorous or standardized. Congress should have the AI Safety Institute (US AISI) develop a standard Cyber Model Evaluation Suite based on real-world cybersecurity tasks to promote consistent assessments by AI labs. These assessments should be paired with annual red-teaming exercises to identify lingering gaps in preparedness.
- Strengthen American Leadership in Cyber-Defensive AI. A strong investment in cyber-defensive AI will help bring the US towards a more cybersecure future. Pathways include: further funding for prize challenges like DARPA’s AI Cyber Challenge, funding research on cyber-defensive AI, and empowering NIST to solidify best practices in deploying cyber-defensive AI.
- Grow the Cyber Workforce. There’s a critical need for cyber talent, and meeting the nation’s cybersecurity needs requires investing in the cyber workforce. Congress should pass the Cyber PIVOTT Act, and further support NSF’s Cybercorps SFS Program.
- Strengthen Public-Private Partnerships (PPPs). Congress should establish a commission to evaluate existing cyber PPPs and their associated shortcomings, and then recommend improvements.
- Secure Frontier AI Companies. Congress should direct CISA to amend CIRCIA, classifying AI as critical infrastructure and requiring incident reporting to improve national security visibility.
Read the full report here.