House Subcommittee on Cybersecurity and Infrastructure Protection Hosts Hearing on AI Security

On Thursday, June 4, the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hosted a hearing titled, “The AI Security Landscape: How Frontier Models, Agentic AI, and AI Coding Tools Are Reshaping Cybersecurity and Critical Infrastructure Resilience.” Witnesses included:

• Sandra Joyce, Vice President, Google Threat Intelligence, Google LLC
• Chris Meserole, Executive Director, the Frontier Model Forum
• Jack Cable, Chief Executive Officer and Co-Founder, Corridor Security Inc.
• Dr. Matthew Guariglia, Senior Policy Analyst, Electronic Frontier Foundation

What follows is a lightly edited transcript which may contain small errors. Please check the video before quoting.

Rep. Andy Ogles (R-Tenn.):

The Subcommittee on Cybersecurity Infrastructure Protection will come to order without objection. The chair may declare the committee in recess at any point. Today's hearing will examine how artificial intelligence is changing cybersecurity in real time and what that means for the resilience of America's critical infrastructure. We will discuss advanced frontier models capable of discovering software flaws, agentic AI systems that can operate across digital environments and AI coding tools that are rapidly changing how software is built and secured. We'll also consider recent federal action on AI innovation and security as well as national security risks posed by the PRC's open way AI strategy adversarial distillation and the spread of Chinese AI models into American developer tools and enterprise systems. I now recognize myself for five minutes for an opening statement.

Good morning and thank you all for being here. Today we're examining how artificial intelligence is changing the foundations of cybersecurity and the security of our critical infrastructure. This committee has taken these threats and risks seriously for months. We have held round tables, hearings and briefings with the leading AI laboratories and cyber companies in the country. We have opened a joint investigation with the select committee on China into the proliferation of Chinese AI models. On Tuesday, President Trump signed an executive order directing the secretaries of the Treasury, Homeland Security and War to develop a classified benchmarking process for advancing AI cyber capabilities and to design a volunteer framework for early government access to cover frontier models. The president is right to act. These models are already reshaping the threat landscape and the federal government cannot be the last to understand what they can do. I want to be clear that this subcommittee intends to watch closely how CISA carries out its responsibilities under that framework.

CISA has a statutory authority under the Cybersecurity Information Sharing Act of 2015 operates the known exploited vulnerabilities catalog and serves as the lead civilian agency for critical infrastructure cybersecurity. How CISA fulfills its role under this order, especially in translating early model access into practical guidance and vulnerability remediation for critical infrastructure operators will be a central oversight question for this subcommittee in the months ahead. To understand why that matters, consider that these models can now do until recently finding a serious unknown flaw is widely used software took skilled researchers months of painstaking work. Frontier AI models are collapsing that timeline. When they have models that can discover and exploit previously unknown vulnerabilities on their own at machine speed across the systems that run nearly everything in our economy. The most advanced of these models was judged too dangerous to release publicly so it was shared with roughly 50 large companies to help them find and fix flaws before our adversaries could.

In the right hands, this is a powerful defensive advantage. In the wrong hands, it is a weapon. Imagine a Chinese state cyber actor, the kind already burwing into our power grid and our water systems armed with a model that finds and exploits unknown flaws faster than any human team alive. The danger does not stop at cyber attacks. The same models that hunt for software flaws can without the right safeguards help a bad actor work through the hardest steps of building a biological weapon. Our leading laboratories building guardrails to refuse that kind of help. But when a foreign adversary copies an American model, strips out those safeguards and releases it to the world, those protections and protocols vanish. We could find we have handed the most dangerous knowledge on earth to the people most determined to use it with the safety switches turned off. There's a second front that deserves the same attention.

The United States leads the world in the most advanced frontier models and those models are largely closed, proprietary and expensive. China has taken the opposite path. Chinese labs are releasing open weight models that anyone can download for free but run at a fraction of the cost and that are now good enough for most of what an ordinary developer or business needs to do. Here is what concerns me. When the cheap, capable, easy option for an AI model is Chinese, the rest of the world will build on it. Developers and companies in the United States, Europe, South America, Asia and across Africa are making that choice right now. If we do nothing, Chinese models become the default foundation of the global digital economy, carrying embedded censorship, uncertain security and capabilities distilled from our own laboratories with the safety guardrails stripped out. We cannot let the world grow dependent on Chinese AI the way it grew dependent on other Chinese technologies we are now scrambling to address.

The United States needs a serious strategy to ensure capable American models, especially open weight models that developers, companies, and governments can deploy and adapt that are a real alternative. Finally, I want to name the issue practitioners care about because getting them right is how we secure the country. More of our software is now written by AI faster than human reviewers can keep up, which makes security by design practices where security is built in from the first line of code more important than ever. It makes AI coding tools a real concern. When those tools are built on foreign models, we cannot fully vet and it makes agentic AI software that plans and acts on its own across our networks and an entirely new attack surface our defenses were never built to withstand. These are real issues with real consequences and they deserve a serious bipartisan response.

I look forward to a substantive hearing and I thank our witnesses for being here.

When Ms. Ramirez arrives, we'll recognize her. Other members of the committee reminded that opening statements may be submitted for the record. I am pleased to have a distinguished panel of witnesses before us today on this important topic. Pursuant to rule committee rule 8C, I ask that our witnesses please rise and raise their right hands. Do you solemnly swear that the testimony you'll give before the committee on Homeland Security, the United States House of Representatives will be the truth, the whole truth, and nothing but the truth so help you God? Let the record reflect that the witnesses have answered any affirmative thank you and please be seated. I would like to formally introduce our witnesses. Ms. Sandra Joyce is the vice president of Google Threat Intelligence, where she helps lead one of the world's most capable teams tracking nation state criminal and emerging cyber threats. She previously served in senior leadership at Mandiant before its acquisition by Google and brings more than 27 years of intelligence experience and is a US Air Force Reserve officer.

Thank you for your servicemen. Dr. Chris Meserole is executive director of Frontier Model Forum and the industry supported nonprofit founded by leading frontier AI companies to advance the safe and secure development of advanced AI models. His work focuses on AI safety, evaluations, standards, and information sharing among industry, government, academia, and civil society. Thank you, sir. Mr. Jack Cable is his chief executive officer and co-founder of Corridor Security Inc., An AI powered software security company focused on secure AI coding and secure by design development. Corridor's platform helps identify vulnerabilities as code is being written, whether by human developers or AI coding tools. Mr. Cable previously served as a senior technical advisor at CISA where he helped lead the agency secure by design initiative and he also worked at the Krebs Stamos Group and the Pentagon's Defense Digital Service. Thank you, sir. Dr. Matthew Guariglia is a senior policy analyst at the Electronic Frontier Foundation where his work focuses on surveillance, policing, civil liberties, and government use of technology at the local, state, and federal levels.

I want to thank you all again for being here. I now recognize Ms. Joyce for five minutes to summarize her opening statement. Ms. Joyce.

Sandra Joyce:

Thank you, Chairmen Ogles, Garbarino, Ranking Members Thompson, Ramirez, and members of the committee and subcommittees. Thank you for inviting me to speak to you today. My name is Sandra Joyce and I serve as vice president of Google Threat Intelligence Group. Our team defends Google, our users and our customers by building the most complete threat picture to disrupt adversaries. We appreciate the opportunity to participate in this important conversation. As this committee knows, we stand at a critical technological inflection point. Rapid advances in artificial intelligence are unlocking new possibilities for the way we work and accelerating innovation in science, technology and beyond. This technology has impacted cybersecurity in profound ways for both the defender and the attacker. For years, Google has been successfully using AI defensively to find and mitigate vulnerabilities and the code we all rely on, but we have also anticipated that threat actors would abuse this technology to find and exploit vulnerabilities for malicious purposes.

Those concerns were validated recently when we discovered evidence for the first time that AI was used to develop a zero-day exploit by cyber criminals. We expect threat actors to continue using or attempting to use this technology to their advantage. We are particularly concerned about two future scenarios. First, though AI will be used by defenders to harden software and produce safer code. Adversaries may have the initiative in the short term to find and exploit vulnerabilities at scale. We are working to integrate AI directly into the development cycle and make code exploitation more difficult than ever. Nonetheless, the transition period will pose challenges. As we harden existing software with AI, threat actors will simultaneously use it to discover and exploit novel vulnerabilities. In addition, agentic orchestration will allow threat actors to cheaply scale their operations and operate at unprecedented speed to take advantage of slow patch cycles, beleaguered security teams and human response time.

Threat actors are able to move rapidly before and after gaining access to a network using AI. They can take advantage of vulnerabilities faster than we can patch and they can move rapidly through networks using autonomous agents. To affect Effectively tilt the cybersecurity balance in favor of defenders, we must close the exploit window. Historically, patch management has been a retroactive human paced race against adversaries. In the current threat landscape where attackers use AI to discover and target design flaws at scale, traditional siloed security tools fail to keep pace. For critical infrastructure operators and public sector networks, defense at scale requires an automated mechanism that shifts focus away from mere bug hunting and toward comprehensive environmental exposure management. To address this collapse of the exploitation timeline, Google has pioneered an always on four step framework designed to help enterprises to implement an autonomous defensive control loop, prepare, scan and prioritize, remediate and monitor.

Our aim is to shift the industry away from reactive response and toward active prediction and accelerated remediation. We believe our approach to the frontier of artificial intelligence must be bold and responsible. This means developing and deploying technology in a way that maximizes positive societal benefits while proactively engineering systems to withstand and mitigate modern adversarial pressures. For more than 20 years, Google has pioneered a secure by design approach, meaning we embed security into every phase of the software development lifecycle,

Not just the beginning and the end. Google software and AI development pipelines rely on advanced threat modeling to proactively identify emerging threat trends and systemic risks and to explicitly design our products for inherent safety. Rather than treating safety and security as an afterthought, we continuously enhance our safeguards inside our products to offer scaled adaptive protections to enterprise users and critical infrastructure operators across the globe. Cybersecurity has never been an environment where absolute perfection is possible. It will remain a fiercely contested, highly dynamic domain for years to come, demanding continuous innovation, speed and structural agility to defeat adaptive adversaries. As this committee looks to secure our homeland and fortify the digital architecture supporting American critical infrastructure, Google stands ready to serve as a committed transparent partner. By combining public sector authority with private sector technological innovation, we can harness the immense potential of artificial intelligence to tip the scales of cybersecurity permanently in the favor of defenders.

Thank you for the opportunity to testify today. I look forward to answering your questions.

Rep. Andy Ogles (R-Tenn.):

Thank you, Mr. Joyce. Summarize his opening statement and if we could move your mics so that it picks up properly. Ms. Joyce, move your mic forward just a little bit. Thank you so much.

Chris Meserole:

Chairman Ogles, ranking member Ramirez, distinguished members of the subcommittee. Thank you for the opportunity to testify today on the AI security landscape. I serve as executive director of the Frontier Model Forum, an industry supported nonprofit whose mission is to advance frontier AI safety and security. Since our founding, we have worked with our six member firms, Anthropic, Amazon, Google, Meta, Microsoft, and OpenAI to develop the security practices, scientific research and information sharing channels we need to responsibly manage the potential large scale risks to public safety and security from Frontier AI. My aim this morning is not to advocate for particular policies, but to help inform your discussion of the security challenges and opportunities presented by the most advanced cyber capabilities of the latest AI models and agents. My comments will touch on three key issues, the trajectory of frontier AI capabilities, the potential risks associated with them, and how we can manage those risks effectively.

Let me start with the trajectory of advanced AI. As impressive as the cyber capabilities of the latest frontier models are, they do not represent a sudden or discontinuous jump. The ability of today's models to autonomously identify and exploit vulnerabilities is clearly in line with empirical forecasts from over a year ago. I say this not to downplay those capabilities, but to underscore that they should not have come as a surprise. If the most recent models caught us off guard, that should serve as a wake-up call to strengthen our public-private partnerships and information sharing channels on which I'll share more in a moment. The second issue I'd like to touch on concerns the security challenges posed by Frontier capabilities. While the most advanced models hold enormous promise for strengthening the resilience of our cybersecurity and critical infrastructure, they also pose credible threats. An agent that finds zero-day vulnerabilities can protect us in the hands of a defender but expose us in the hands of an attacker and the attackers are real.

State-linked actors have already used advanced agents across the attack lifecycle unless sophisticated criminals are now using AI to generate and sell ransomware. This is especially concerning for small under-resourced operators in critical sectors like water, healthcare and local government, or targets that may not have been worth an attacker's time before now may well be. Significantly, all of those threats are compounded by adversarial distillation. For those unfamiliar with the term, distillation is a method for training an AI model on the outputs of a larger, more capable model and has many legitimate and beneficial use cases. But when carried out at industrial scale and outside a developer's terms of service, distillation amplifies the security challenges of frontier AI because it transfers the advanced capabilities of a model but without any safeguards attached. Foreign actors can use distillation to accelerate their own AI development and leverage the capabilities they gain against US critical infrastructure.

And when adversarially distilled models are made widely available, malicious actors of every kind can exploit advanced cyber capabilities with relevant security mitigation stripped away. Any serious effort to secure US critical infrastructure must address adversarial distillation. The good news here, and this is the third main issue I'd like to touch on is that we have a strong foundation for managing all of these threats. Let me highlight several areas in particular. First, as I noted earlier, frontier models hold enormous potential for cyber defense. Since cyber capabilities are dual use, the same agents that find vulnerabilities for attackers can find and patch them for defenders. Thankfully, leading developers have already begun putting these tools in the hands of trusted defenders and critical infrastructure operators. Second, there are many existing information sharing channels we can leverage. Leading developers have already have bilateral information sharing agreements with government agencies while the FMF maintains a multilateral information sharing mechanism among industry.

All of that is in addition to the ISACs, ISOs, and sector coordinating councils that already exist. We should strengthen and build on these mechanisms where we can, including through clear guidance on antitrust and export controls. Third, we should build on established practices and standards. Securing frontier AI doesn't require starting over. Foundational controls like red teaming, access controls and continuous monitoring still apply, but we do need to update and adapt those practices, which is why efforts like the NIST AI agent initiative are so welcome. Finally, we also need to redouble existing investments in AI measurement and metrology. Many cyber benchmarks are nearing saturation, so developing the next generation of evaluations and technical safeguards work the Casey and others, including the FMF are already pursuing, will be essential. By leveraging AI for defense, strengthening existing information sharing channels, updating and adapting cybersecurity practices and investing in better measurement, we can meaningfully improve our resilience.

Thank you for the opportunity to speak today and I look forward to your questions.

Rep. Andy Ogles (R-Tenn.):

Thank you, Dr. Meserole, and I'll recognize Mr. Cable for five minutes to summarize his opening statement.

Jack Cable:

Chairman Ogles, Ranking Member Ramirez, and distinguished members of the committee. Thank you for the opportunity to testify today. I am the CEO and co-founder of Corridor, where our mission is to prevent a new wave of vulnerabilities by securing AI coding. Before this, I helped build the secure by design initiative at CISA and was a top ranked ethical hacker. We're living in a time of profound change in cybersecurity. Coding agents, not human engineers are writing our code and growing more autonomous every day. They produce code at unprecedented rates and without guardrails will introduce more vulnerabilities than ever. At the same time, frontier models like Mythos are increasingly capable of finding and exploiting vulnerabilities, though as Anthropic's own data shows their ability to find flaws has far outpaced the ability to fix them. Before I talk about what's changing, let me note what's staying the same. Attackers generally aren't exploiting new kinds of vulnerabilities.

They're exploiting the same old flaws we've known about for decades. Even Mythos is surfacing issues like buffer overflows first discovered in 1972. Similarly, longstanding defense mechanisms still matter. The case we built at CISA around secure by design is more relevant than ever. Rwriting critical code in newer memory safe languages will yield dividends for years to come. The central challenge is not that AI creates new categories of vulnerabilities. It's that AI dramatically increases the speed and scale at which vulnerabilities can be introduced, found, and exploited. Our response must shift from patching individual bugs to preventing entire classes of vulnerabilities at the source. Today, I'll make three key points. First, hackers have more powerful tools than ever. Mythos and GPT5 are just the latest iteration of models that can run robust end-to-end exploit change. These models aren't just hype. They are truly starting to rival or exceed humans on security tasks and do so at an unprecedented scale.

We won't be able to patch our way out of this. Of the 1,500 vulnerabilities Anthropic has disclosed via Mythos, only 6% of them have been fixed. Instead, we must get ahead of vulnerabilities at the source by shifting to prevention and wide scale remediation. This is especially acute for open source software. It underpins every software service we rely upon yet as a public good will be hit the hardest. Second, as AI is the dominant code writer today with scale comes more vulnerabilities. The most productive engineers no longer write code. They instruct fleets of AI agents to do so. Today, you can start a coding agent from your phone and it'll produce a significant code change while you eat lunch. GitHub reports 14 times more code committed in 2026 than 2025. Google says 75% of its new code is AI generated. At Corridor, agents write the vast majority of our code.

While coding agents write more secure code per line than humans, they still often introduce vulnerabilities and those scale with volume. Academic benchmarks find that even the best models introduce vulnerabilities roughly a third of the time. Our own data shows 13% of agent generated code changes have vulnerabilities. Between AI empowering adversaries and coding agents writing more code than ever, we're stuck between a rock and a hard place. To prevent the bugpocalypse, we need a new path forward. Third, the good news is that properly guided AI coding offers a more secure future. At Corridor, we find that coding agents follow security instructions better than most humans. Across our customers, giving the coding agent the right context at the planning stage reduces vulnerabilities by 60%. For existing code, frontier models can accelerate security refactors that once cost millions of dollars and years of efforts now achievable for thousands of dollars in weeks.

Initiatives like DARPA's tractor program translating unsafe code into memory safe languages are exactly the right investment. Let me close with my recommendations. One, prevent vulnerabilities in new code. The highest leverage step is to stop entire classes of vulnerabilities at the point of code generation. Congress should enable AI coding among the federal government and its contractors while requiring security guardrails that prevent these vulnerabilities upfront. Two, harden the open source software foundation. Rather than one-off fixes, Congress should fund a multi-billion dollar nonprofit initiative for large scale security oriented refactors and maintenance of critical open source components. I also encourage the committee to bolster CISA's capabilities to partner with the open source ecosystem by passing the Securing Open Source Software Act. Three, maintain America's lead through open weight models. A thriving AI industry demands both the cutting edge performance of closed weight models and the low cost and flexibility of open weight models.

Today, there are no frontier open weight models from the United States. The US government should fund and support the development of open weight models and we should keep allowing US businesses to access frontier models. Restricting access only sets us back. Thank you for the opportunity to testify today. I look forward to your questions.

Rep. Andy Ogles (R-Tenn.):

Thank you, Mr. Cable. I now recognize Dr. Matthew Guariglia for five minutes to summarize his opening statement.

Dr. Matthew Guariglia:

Chair Ogles, ranking member Ramirez, members of the committee, thank you for the opportunity to speak today. My name is Dr. Matthew Guariglia, and I'm a senior panels policy analyst at the Electronic Frontier Foundation. The Electronic Frontier Foundation is a nonprofit organization dedicated to protecting privacy, innovation, and free expression in the digital world. For 35 years, EFF has represented the users of technology both in court and in policy debates to ensure that law, technology, and support our civil liberties. Today, I am urging caution on the use of artificial intelligence in the national security and cybersecurity arenas. AI can be an incredible tool for cybersecurity, but without proper guardrails in place, it can amplify threats to civil liberties and make us less safe. I urge the committee to consider narrowly tailored regulation that promotes transparency and accountability while protecting innovation. Guardrails are especially important because the national security state already has tools that can aggregate and infer sensitive information about individuals without preexisting probable cause.

We're talking about making inferences about a person's politics, personal life, religion, and geolocation, sometimes inaccurately with major consequences. Before there was a smartphone in every pocket, our privacy relied in large part on the practical cost of surveillance. You couldn't watch all people all the time. It took effort, it took hundreds of employees. It even took airline hangers to store all of the physical files. AI combined with the exponential growth of electronic surveillance tools has totally upended this. Thanks to those tools, AI's increased capacity can expose every American to granular levels of surveillance with the click of a button. This departure from the prior default, which is individualized surveillance based on individualized suspicion, poses a major threat to civil liberties and one that Congress and the courts have yet to address in any meaningful privacy preserving way. AI also has a track record of getting things wrong from false citations on legal briefs to a major AI mistake that sent DHS recruits to the field without proper training.

There are likely more consequential examples that we don't even know about because of classification that would prevent a more thorough accounting. There are, however, solutions to threats posed by irresponsibly deployed AI. The first is to answer the urgent need for transparency within the military or the intelligence community in which AI would be deployed. And the second is a general reduction of the amount of warrantless data collected by taking actions like reforming section 702 of FISA or closing the data broker loophole. For decades, the national security apparatus has been overburdened by impenetrable layers of classification. Secrecy would prevent the public from knowing about or seeking accountability when AI hallucinates or makes vital mistakes in the national security or cybersecurity spaces. Hidden by the secrecy is the practice of zero day hoarding where government deployed AI might find vulnerabilities in critical infrastructure, but that information is withheld from affected parties in an attempt to preserve future opportunities for surveillance.

This has already happened a number of times where NSA discovered vulnerabilities like eternal blue were exploited by bad actors and foreign nation states. I will end it by noting that we should be concerned about the way the executive branch's current posture toward AI not only jeopardizes civil liberties, but the cybersecurity and resilience of our critical infrastructure. The government has insisted that the technology it procures be made available for use as a mass surveillance tool despite companies' internal ethical commitments and the best use guidelines for their products. When a company does not comply, they have been labeled supply chain risk, but making companies, enablers of civil liberties violations will eventually make them reluctant to sell cutting edge tools that we need for maintaining digital infrastructure. Even the White House's brand new executive order, while it does direct resources to cybersecurity, does not ensure that its early access to frontier models will not be used to hoard and exploit vulnerabilities.

It also creates a tiered regime where some companies in good standing with the administration could be granted cutting edge cybersecurity tools while others are relegated to susceptibility. The lesson here is that government must not let political whims stifle technological progress for the public good. One of EFF's core values is the belief that technology can create a safer and more just world. AI holds immense promise in many areas, but it is up to Congress to step in and provide necessary and balanced regulations. Thank you again for the opportunity to speak today, and I look forward to your questions.

Rep. Andy Ogles (R-Tenn.):

Thank you, Dr. Guariglia. I now recognize the ranking member for five minutes for her opening remarks.

Rep. Delia Ramirez (D-Ill.):

Thank you, chairman. Well, first I want to thank our witnesses for being here today. Today's hearing about the security concerns raised by artificial intelligence comes at a very important moment. Artificial intelligence development is speeding ahead with nearly no standards, rules, or regulations for how powerful AI tools will be responsibly used. It does not seem to be a point of debate that we should do something about that. It's actually why we're here today. The advent of new models like Entropics Methos has moved even the president to admit that there are security risks associated with artificial intelligence and that the federal government has a road to address them. But as you might expect, I take issue with the most recent executive order on artificial intelligence. Now, I rarely look to the Vatican for a policy inspiration, but when Pope Leo himself publishes a 200 page and cyclical calling for AI regulation and warning that data cannot be left in private hands and that is a more comprehensive AI policy than what's coming out of the White House, well, I think we should be concerned.

In contrast to the EO, the previous presidential executive order on AI noted that AI makes it easier to extract, we identify, link, infer, and act on sensitive information about people's identities, locations, habits, and even desires. Bottom line, AI makes it easier to surveil, target, and violate our rights and privacy. And the executive order that was just recently issued is silent on how to mitigate those risks and protect the public's rights of privacy. Am I shocked? No. The administration has already demonstrated we use every tool available to find, track and deport immigrants and those who defend their rights. In my own district, DHS has used AI powered facial recognition, software and predictive tools to target, intimidate immigrants and rapid responders alike. And now we're watching AI powered monitoring systems spread to schools, to public housing, to hospitals with no transparency about how they work, no ability to challenge them and no recourse when they're wrong.

So I'm clear that we cannot settle for unregulated, unaccountable AI. There's got to be rules. There's got to be limits and it's our responsibility to ensure oversight. We have to set standards for AI's responsible use. Move fast and break things. It's not an acceptable innovation strategy. When things being broken are people's lives, their rights, their privacy, and their safety. Fortunately, states across the country, including my home state of Illinois, are leading the way. Just recently, last week, lawmakers in Illinois sent SB 315 the strongest AI bill in the country to the governor's desk. Among other things, the bill requires frontier AI developers to have their safety practices audited by a third party, a major and much needed check on AI companies. The effort builds on laws already enacted in states like New York and California that require AI labs to provide information about guardrails to ensure the safety of their models and to publish reports on any safety incidents.

Bottom line, at the federal level, we have to, one, enforce the laws we already have, civil rights, privacy, and consumer protection. Two, we have to define clear rules and guardrails with real consequences that companies are statutory required to abide by no voluntary pledges as we've seen. Three, make companies prove their systems are safe before release at every step because the burden of proof should not be on the companies. The burden of proof should be on the companies, not the consumer, and certainly not the public. So until the federal government can do that work and demonstrate it will develop AI policies that prioritize the wellbeing of the people over the profits of AI companies, Congress must not undermine state laws that ensure responsible AI. I want to know as we go through our questions today, we might have, I think, more than one round. What you are doing right now to make sure that AI technology will not become another instrument of surveillance, exploitation or control dressed up in language of progress and national security.

We've already endured those who would ask us to sacrifice our rights and liberties to secure our safety. We're done with a false choice. We think that we could regulate AI and actually benefit from the advancements and progress that it brings, but we have to ensure that we do our own work and the oversight necessary. With that chairman, I yield back so that we can start the questions.

Rep. Andy Ogles (R-Tenn.):

Thank you, Ranking Member Ramirez. Members will be recognized by order of seniority for their five minutes of questions. I now recognize myself for five minutes. President Trump's executive order directs CISA to facilitate access to cybersecurity tools and services, including where appropriate covered frontier models for agencies, state, and local authorities and critical infrastructure operators such as rural hospitals, community banks, and local utilities. That could be a major opportunity to get better tools into the hands of the defenders who need the most. At the same time, many smaller organizations still struggle with basic cyber hygiene, patch management, asset inventory, identity security, and limited staffing. How should this work in practice? What basic foundations need to be in place so advanced AI enabled cybersecurity tools help these organizations reduce real risk instead of creating more alerts, more confusion, or more unmanaged responsibility. Ms. Joyce.

Sandra Joyce:

Thank you so much for the question. And we want to compliment the administration for really leading the way on the executive order. We have just received it. We're still looking at how we're going to be implementing it. We're looking at the details. But one thing we have often said is that we do believe that AI needs to be regulated and we also think it's too important to not be regulated and it's too important not to be regulated well. So when we look at critical infrastructure and those individuals who are on the front lines of providing services to day in day water electricity, we think it's really important that we are able to support them with cybersecurity that they need. One of the ways that we think that can happen is through cybersecurity grants that are going to be able to provide the know- how and the funding.

No frontline defender in critical infrastructure should be left to their own devices to go toe to toe with nation states and cyber criminals. So we look forward to being a good partner in this and we look forward to being supportive of American leadership in this space.

Rep. Andy Ogles (R-Tenn.):

Mr. Cable, would you like to also respond?

Jack Cable:

Yes. Thank you, Chairman, for the question. The good and bad news is that so much of security is low hanging fruit and you do not need frontier models to address that. If we look at the state and local governments, critical infrastructure owners and operators out there today, as you mentioned, there are many basic vulnerabilities that are on their networks that are open to exploitation from our adversaries. For instance, we continue to see a string of exploitation of network edge devices by foreign adversaries. Ultimately, what many of these issues come down to is vulnerabilities in underlying software products in use by these entities. And my response to that is that these entities who produce these products in line with Secure By Design ought to be doing more to deploy frontier models in order to shore up the security of their products. And as I mentioned, my opening statement in particular to do these large scale refactors needed in order to root out these entire classes of vulnerabilities from their products.

We called this at CISA secure by demand by which critical infrastructure owners and operators, consumers of technology products could do more to put pressure on software vendors. I believe Congress has a role there as well and this also underscores the passage of the Pillar Act in order to give necessary resources to stay in local governments.

Rep. Andy Ogles (R-Tenn.):

This is just kind of a general thought. When you think about a regulatory framework for AI, how do we regulate AI in such a way to protect the consumer, the public, but yet not hinder ourselves against this arms race that essentially is against China? Ms. Joyce.

Sandra Joyce:

I think that's the work of today and the work of our generation right now. It's so important that we get this right and this technology is so important to regulate in a way that's going to balance the safety and security of the models and of the users that are using them, but also is going to support American leadership in this space. What we're seeing in my role as the threat intelligence lead at Google, we are seeing every day how threat actors are attempting to abuse AI models in order to carry out their schemes. And we publish very regularly in an attempt to be transparent the threats that we're seeing. In our quarterly AI threat tracker, for example, we recently published how threat actors are doing everything from a prompt injection to trying to manipulate and to create exploits using AI. And so we can see that the threat landscape is rapidly evolving and we need to be able to meet the moment in that while balancing safety and security with bold and responsible regulation.

Rep. Andy Ogles (R-Tenn.):

Thank you, ma'am. I now recognize the ranking member, the gentlewoman from Illinois, Ms. Ramirez, for her five minutes of questions.

Rep. Delia Ramirez (D-Ill.):

Thank you, Chairman. Dr. Guariglia, can you pronounce your last name again?

Dr. Matthew Guariglia:

Guariglia.

Rep. Delia Ramirez (D-Ill.):

Guariglia. Did I get it right?

Dr. Matthew Guariglia:

Yes.

Rep. Delia Ramirez (D-Ill.):

Good, good. You did an exceptional job, chairman. I had notes.

Rep. Andy Ogles (R-Tenn.):

I'm going to be honest.

Rep. Delia Ramirez (D-Ill.):

Even with mine, I still struggled here. Your work documents how the government's expansion of data collection surveillance capacity has justified repeatedly as a security or public safety necessity has consistently been turned against the most marginalized communities. My question to you is, when we talk about building resilience in critical infrastructure through AI powered monitoring and threat detection, how do we ensure that the architecture we're building and the name of protection doesn't become the next iteration of that same pattern?

Dr. Matthew Guariglia:

Yeah. The capacity to store data and to analyze data is infrastructure. It by definition has multiple purposes. It can be used for building critical resilience in critical infrastructure, or it could also be used for compute power force surveillance. I think one of the things we've been thinking about is specifically narrowly tailoring the types of models that we deploy specifically for cybersecurity so that they are less general per Purpose models that can be redeployed in other purposes for surveillance. So I think thinking about how to tailor both digital infrastructure and AI models so that they serve on purpose without very easily being co-opted by DHS or other agencies for the purposes of surveillance and

Rep. Delia Ramirez (D-Ill.):

Policing. And you've written that America's privacy is currently being decided by contract negotiations between tech companies in the White House, not by Congress. We're watching that play out in life between the Pentagon and Anthropic right now. I guess my follow-up question to you is what does Congress need to do to put in statute so that civil liberties protection doesn't depend on morality of billionaire CEOs?

Dr. Matthew Guariglia:

Yeah. I mean, at this level, the question is not how do we reign in AI? It's how do we reign in the agencies that would unleash AI on the American public? So with the Anthropic deal, what we have is a contract negotiation in which one party does not want to do mass surveillance against Americans or claims not to. And the other party is insisting that their technology, their multiple purpose technology be made available to them for exactly that purpose. And absent in that is Congress saying what the rules should be for how the government can deploy technology against Americans. So things like, as I said, closing the data broker loophole, reforming section 702 of FISA. Longstanding issues of American privacy and the government's ability to collect data need to be addressed first so that when AI is deployed, it does not drastically amplify those civil liberties violations.

Rep. Delia Ramirez (D-Ill.):

Thank you. Well, let me ask you one last question and I'll give you a little bit more time. We probably will have another round maybe. Okay. So we're hearing a lot about agentic AI, the systems that can detect and respond to threats on their own without waiting for a human to approve each decision. You've written about how technology vendors sell governments and tools before anyone has actually even figured out what happens when something goes wrong. So I want to ask you directly. If a autonomous AI system managing the cybersecurity of a city's water infrastructure makes a bad call, flag is a clean system as compromised, shuts down access, causes an operational failure. Who is responsible under current law?

Dr. Matthew Guariglia:

I don't know who's responsible under current law. Yeah. And I think part of the problem that we have is this transparency piece is that when something goes long like that, how does the public find out about it? Where does the accounting come from? I imagine have to rely on the transparency of the city because the proprietary models and the corporations are not going to be forthcoming with the American public. And this is made exponentially worse once you take it out of the municipal level and you get to the federal government where the national security has its own history of very impenetrable classification.

Rep. Delia Ramirez (D-Ill.):

So you're hoping for transparency of the city, but that doesn't actually get to the accountability of who ends up being responsible. It's the last question and see if you have any answer to it. And this is if the community is harmed as a result of this and has limited resources to demand the accountability, what realistic recourse would they even have?

Dr. Matthew Guariglia:

I'm not sure.

Rep. Delia Ramirez (D-Ill.):

Yeah, that's what I figured. Chairman, I have another question we can do next round, but I'll yield back.

Rep. Andy Ogles (R-Tenn.):

The gentlewoman yields back and now recognize the gentleman from California, Mr. Fong.

Rep. Vince Fong (R-Calif.):

Thank you, Mr. Chairman. I want to thank the witnesses for being here. Certainly a very important topic with everything going on right now in the cybersecurity space. My first question I wanted to pose to Mr. Cable., My district, we've pulled together a round table with schools, hospitals, energy providers, water districts. I represent urban centers and rural communities as well. And then I read that the time from a breach to an escalation is probably now mere seconds. And so our cybersecurity defenders have to meet these machine speed attacks with machine speed defenses. So a company like yours probably could take thousands of AI generated vulnerability findings and turn them into patches pretty quickly, but a rural hospital, a small utility, a county government, a water district, they may see the same list and may not have a realistic way to keeping up. So how do you propose or what advice do you have in terms of how do we prevent frontier AI from creating a world where companies can get patches but smaller critical infrastructure operators may fall behind?

Jack Cable:

Thank you, Congressman, for the question. In order to get ahead of these issues, I think about it in two ways. We have to both shift further right up the attack chain to deploy AI in order to better detect attacks, better defend systems, while also shifting further left right into the very ways in which software products are being built to make them fundamentally more resilient. Our focus at Corridor is on the ladder at working with manufacturers of technology products to help them identify and prevent vulnerabilities in the development cycle. And we are seeing by doing that, we can prevent vulnerabilities before they make it out into deployed products that are used by any consumers of software such as critical infrastructure owners and operators. But I think that there is also this need for an increased focus to give these defenders who are increasingly both under resourced and also subject to attackers who have more and more capabilities at their hand.

We really do need to foundationally shore up the security of these systems, both in the short term through deploying AI capabilities that can prevent, detect cyber attacks, but then in the long term by making sure that the products that they rely on are fundamentally more secure.

Rep. Vince Fong (R-Calif.):

And I wanted to probably pose the same question to you, Ms. Joyce. The chairman, Mr. Ogles and I have talked about this. I have military installations in rural communities out in remote areas for a reason. And so a cyber attack that affects the water supplier, the electricity grid not only impacts the community, but of course our national security as well. And so I wanted to maybe pose the same question, but then also add a second question, which is in terms of the integrity of our AI systems, that is of course becoming a national security issue. If our adversaries can manipulate the models, poison data, abuse AI tools for cyber operations and undermine the trust in AI generated outputs, that certainly those risks extend well beyond one company. So how do you work to secure the integrity of AI systems to advance our national security and what should Congress do to understand the connection between model security, infrastructure security and American technology leadership?

Sandra Joyce:

Thank you so much for that important question. And from a threat intelligence perspective, I can say that it is truly important to look at this. We have already seen Russia, China, Iran, and North Korea in some cases trying to or succeeding in embedding themselves in our critical infrastructure. So we know that this threat is happening as we sit here today. We are looking at how these threat actors are embedding themselves. Groups from China called Volt Typhoon, for example, have already demonstrated capability and intent in this space. In my role at Google, what we're doing is actually looking at our Gemini model. We have embedded inside of Google Deep Mind personnel so that we can be on the front lines and looking at the threats as they come in. When we find and gain insights that we think will be helpful for defenders, particularly the ones who are in critical infrastructure, we publish those.

We attempt to be very transparent about it. And so as I said, you can look at our AI threat tracker that we have been publishing every quarter. We have years of AI threat reporting that we have done publicly to ensure that we're putting these insights out to those who need to use them.

Rep. Vince Fong (R-Calif.):

My time is running out. Maybe we'll do ... I have some additional questions, so I'll wait for my second round. Thank you, Mr. Chairman. Now you're back.

Rep. Andy Ogles (R-Tenn.):

The gentleman yields back and now recognize the gentleman from Rhode Island, Mr. Magaziner for five minutes.

Rep. Seth Magaziner (D-R.I.):

Thank you to the chairman and the panelists. As we think about the risks and opportunities posed by frontier AI models in the cybersecurity realm, the thought that keeps recurring for me is that we are very fortunate that Anthropic did the right thing with Mythos and that before this product that is incredibly powerful and has demonstrated an ability to facilitate cyber attacks in a manner that no other tool has been able to do before, before releasing this out into the world where bad actors could use it, they did the right thing by alerting the government, alerting key players in the tech space, including I assume your employer, Ms. Joyce, and working with them so that they could shore up their defenses before this product becomes available. But what if they hadn't chosen to do that? What if they or anyone else had chosen to just release this out into the world where anybody could use it to extort ransom, to make critical infrastructure inoperable to cause mass chaos?

Or what if they had decided to sell it to Putin first or sell it to the highest bidder? I'm not saying that they would do that, but the point I'm making is that there is a real risk for all of us to just be crossing our fingers and hoping that the next time there is a new advancement in Frontier AI that whoever made that advancement just does the right thing again. And so I'm encouraged by the executive order this week, which establishes at least a framework for new frontier AI models to be vetted before they are released to the public. However, this framework in the executive order is still only voluntary. So we are still in a place where we are just crossing our fingers and hoping that the developers of AI are just going to do the right thing and participate. I'll just ask any of our witnesses to weigh in, what do you see as the positives in this executive order?

What still needs to be done in order to ensure the safety of the American people as new frontier AI models are released? And should we be moving toward a system, a vetting system that is a mandatory one as opposed to just an optional one? And I'll open it up to anybody who'd like to answer first.

Jack Cable:

Happy to take that first. Thank you, Congressman, for the question. It's my belief that the best approach to protecting our systems from continued improvements in frontier models is to deploy state-of-the-art models today to shore up our defenses. The best defenses that we have can be made such that, for instance, if we do a refactor of a critical piece of software into memory safe language, we can ensure that that is free of certain types of vulnerabilities that frontier models today find and frontier models of tomorrow. So there are some of these secure by design principles that if we build software products in the right way, we can ensure that they're protected against whatever might come with future models. As to your question on the executive order, I was glad to see that the White House took a voluntary approach to securing these frontier models. While I agree that it is crucial to make sure these capabilities get in the hands of the right defenders, I believe that ultimately the Advantage does lean towards making these models more widely accessible to allow defenders to make use of them ahead of adversaries exploiting.

Rep. Seth Magaziner (D-R.I.):

But let me ask you, I mean, again, say, and I don't want to call out Anthropic here, any developer in this space, if they developed a very powerful technology that could be used to cripple critical infrastructure, to cripple financial institutions, what's to stop them today from just selling it to the highest bidder and not giving defenders an opportunity to show up their defenses with it first?

Jack Cable:

I think part of the answer there, sir, is that the open weight models, while they are not quite as good as the frontier models, they are quite close. They lag a couple months behind, but these capabilities are already out there and can be wielded by adversaries.

Rep. Seth Magaziner (D-R.I.):

I don't know. I mean, just for cleaning my time, I don't want to betray anyone's confidentiality here, but I've met with some of the largest financial institutions in the world in recent weeks who have told me that with Mythos, they found thousands of vulnerabilities that they didn't know they had. And if Anthropic had not done the right thing and given them a chance to build up their defenses first, the damage could have been incredible. And so once again, I'm glad to see that there's at least some federal framework being set up now in this executive order, but to just keep it kind of voluntary and let everybody make their own decision about whether to give defenders a head start or say sell this to Putin first or to the highest bidder, I think is very dangerous. And it doesn't have to be an onerous vetting process.

I think the executive order says 30-day vetting process, but there needs to be some kind of a process. And we'll dig into this a little bit more when I get another round, so thank you.

Rep. Andy Ogles (R-Tenn.):

The gentleman yields back. One of my concerns is China. So AI coding tools are quickly becoming part of how software is written. If a coding tool is built on a PRC origin open-weight model, the issue is not only who made the model, it is whether that model becomes part of a software supply chain for American companies. Should companies treat model provenance the same way they treat software? What questions should a company ask before allowing a PRC origin model into its developer environment? Ms. Joyce, were you going to lead off and we'll just go down the line?

Sandra Joyce:

Well, like I said, we really believe that regulation is really important in this space and we're seeing a lot of threats to the supply chain as we go along. I wanted to clarify one issue about the threat before we move forward and that is that while certain tools that have been introduced recently are very, very prominent and we're talking a lot about them. The truth of the matter is we have seen cyber criminals and threat actors already be able to create harnesses, which is basically the software scaffolding around a model. It doesn't have to be a very powerful model to be able to already write exploits. So as we move along in this space, what I want to clarify is the threat that these threat actors will be able to use these new models, they don't even need to use new models to do what they're doing.

They can use existing models and we already observed how a cyber criminal had developed their own harness and was already writing their own exploit and they did not have access to the models that we've been talking about

Rep. Andy Ogles (R-Tenn.):

Doctor.

Chris Meserole:

I would actually even move upstream a little bit to how those models are developed in the first place and suggest that there's a lot more that I think needs to be done to be able to counter the use of adversarial distillation so that the capabilities of those models, if we're worried about them and the capabilities they have, we need to protect the integrity of the models we have and the capabilities we have by trying to prevent the distillation of American models by foreign linked actors in the first place. And I would encourage robust discussion on that front.

Rep. Andy Ogles (R-Tenn.):

Mr. Cable.

Jack Cable:

Thank you, Chairman. I would say that the reason that companies today are using these models from China is because these models offer the best performance. Like I mentioned in my opening statement, there are no frontier open weight models from the United States and there are use cases where as a company building AI systems, you want to be able to, for instance, fine tune models to work best on your use case. I would argue that the best answer here is to foster an ecosystem of open weight models coming from the United States that have safeguards in place that can then become the norm by which others, whether within or outside the US can build their technology. And that is where I think that we can counteract some of these other models by having a competitive ecosystem here.

Rep. Andy Ogles (R-Tenn.):

Dr. Guariglia?

Dr. Matthew Guariglia:

Yeah. I would just urge that we think about US-based models in the same vein that we would those coming from places overseas like China in the sense that absent consumer privacy laws, absent more laws that govern how the United States conduct surveillance on American citizens, both models run some sort of threat of jeopardizing civil liberties and the integrity of the American people.

Rep. Andy Ogles (R-Tenn.):

You talk a lot about the privacy of citizens. Is 702 written in such a way to protect Americans from AI in your opinion?

Dr. Matthew Guariglia:

No, no. I mean, the problem we have right now is that Section 702 is collecting all of these communications, including those Americans, and they're storing them in a big pot essentially where the IC has some restrictions over where and when they can access Americans' communications, but the Federal Bureau of Investigation does not and they can query and look at those without a warrant. So with a large archive of American communications that the Federal Bureau of Information can access, my concern is that deploying AI in that sort of a space would allow them to sift through American communications without a warrant and also expose them to analytics like artificial intelligence.

Rep. Andy Ogles (R-Tenn.):

Thank you. Yield back. Recognize Ms. Ramirez for five minutes.

Rep. Delia Ramirez (D-Ill.):

Thank you, Chairman. I want to follow up with the conversation we were having just a few moments ago, Dr. Guariglia. CISA is still racing to finalize its first ever mandatory cyber incident reporting rule, meaning right now the vast majority of cyber attacks and critical infrastructure go unreported. We were just talking about that a moment ago. We're talking today about deploying autonomous AI security systems across that same infrastructure. So my question to you is, how can Congress make informed decisions about AI accountability when we don't even have a baseline picture just yet of what's even being attacked and even what the consequence it could be to our communities?

Dr. Matthew Guariglia:

Yeah. I think a more robust infrastructure of communication between the federal government and affected entities as well as more resources dedicated to cybersecurity and dedicated toward hardening critical infrastructure and to institutions like CISA, which could build a more robust model for both monitoring and disclosure.

Rep. Delia Ramirez (D-Ill.):

So just following up on that, Section 702 of the Foreign Intelligence Surveillance Act expires next week and we're going to be asked yet again to pass a reauthorization of this authority. As if we didn't have enough reason to be worried about Section 702, the president has now appointed Bill Pulte, a partisan loyalist with no national security experience as the acting director of national intelligence. He has a well established record of abusing his position to target the president's political opponents and now he's gaining access to more information about Americans through his new position establishing yet another reason why we need real protections for Americans on how the government is gathering information on us in the name of national security. Doctor, my last question for you, how could new frontier AI models facilitate greater abuses of the Section 702 authority and what reforms would you like to see in any 702 reauthorization that would help mitigate those risks?

Dr. Matthew Guariglia:

Thank you so much for that question, Ranking Member Ramirez. As I was saying earlier, I think the fear is that with such a large pool of Americans communications sitting and being able to be accessed by federal law enforcement without a warrant, that AI would make all of that data more easily to be weaponized against the American public, especially for political purposes as always the fear. And so I think when we're looking at the reauthorization perhaps next week, one thing we have to think about is first and foremost a warrant requirement that before federal agents want to access American communications, they should not only get a warrant to actually look at the content, but also to query whether or not that database has communications by specific Americans in it. And I also think transparency is key here because when national security intelligence is used for criminal prosecution in the United States, oftentimes it is not disclosed to either defendant or their attorney where that information came from and so they are unable to challenge it.

And so I think that transparency piece and a warrant requirement are essential not only to any reauthorization of Section 702 of FISA, but also to prevent the proliferation of AI in the federal government to being able to weaponize that data further.

Rep. Delia Ramirez (D-Ill.):

Got it. So warrant requirement, query onto the information and transparency. Thank you. I want to make sure that I make that note. I'm going to go ahead and yield back to the chairman. Thank you.

Rep. Andy Ogles (R-Tenn.):

Gentlewoman yields back. Recognize the gentleman from California for five minutes, Mr. Fong.

Rep. Vince Fong (R-Calif.):

Thank you. I wanted to follow up on the chairman's question, which is when it comes to the threat China poses. We've seen China use low cost technology to gain global market share in other sectors. It's scary to imagine a world where the default AI model in Europe, South America, Southeast Asia, Africa and parts of the Middle East is a Chinese open weight model because it's inexpensive, capable, and is easy to run locally. Maybe I'll throw this to the panel, but what leverage would China gain if PRC origin models became embedded in global software development, cloud services, manufacturing, robotics, and critical infrastructure? And what should the United States do now to avoid that dependency? Anyone can chime in.

Sandra Joyce:

I don't think there's prize for second place in the AI race, nor is there one in the quantum race. And American leadership in this space is truly critical. In my group, we have tracked the threat from Chinese cyber for many, many years. We understand that they are prepositioned in our critical infrastructure and the government has confirmed that there are no reconnaissance purposes for that, that the reason they're embedded in critical infrastructure is for a potential kinetic action in the future should they choose. So I think that the leverage that would be gained by having this fundamental technology not be led by American innovation and democratic societies would truly be something that we simply cannot tolerate.

Rep. Vince Fong (R-Calif.):

Doctor, do you have opinion on this? Or if not, then I can jump to another question for you.

Chris Meserole:

I might just speak briefly to how some of their capabilities are being developed and what we might be able to do about it. So again, one of the core issues here I think is how the trendlines between leading US capabilities or the capabilities of leading US models and the capabilities of leading foreign models have collapsed. It used to be kind of let's say a 12 to 18 month gap in terms of when models would be released from the US and the capabilities they had and when you would see similar capabilities emerge elsewhere. That trendline I think has collapsed down to four to six months, something like that. In tandem with that collapse of timeline, we've also seen the emergence and articulation of a really robust ecosystem that has enabled the distillation of US models. I don't think that those two facts are unrelated. There's a lot I think that could be done potentially to try and counter that.

The challenge is that the information that you would need to be able to do that kind of thing is distributed amongst the wide array of industry actors at present. Industry actors, I can just speak for the FMF here. We have had to take a fairly conservative approach under antitrust law to even have a conversation about how to identify distillation. We have not had a conversation about how to counter it given kind of existing antitrust concerns. So I think there's some low hanging fruit in terms of what we might be able to do to address that issue in particular.

Rep. Vince Fong (R-Calif.):

So if I could follow up, Dr. Meserole, does the United States need a trusted open way strategy where there's broader trusted access so that American allied models are available enough to compete globally?

Chris Meserole:

I will say within the context of the Frontier Model Forum, we've mainly focused on safety and security of models. And so unfortunately, I can't really speak to the development side of models.

Rep. Vince Fong (R-Calif.):

Does anyone want to chime in on that question, Mr. Cable?

Jack Cable:

I would say that yes. As I mentioned before, I believe the best way to counter this is to have open weight models originating from the United States that are the best in the world. We already have closed weight frontier models that are the best so I believe it's a matter of putting proper resources into making sure that we can have similarly competitive open weight models.

Rep. Vince Fong (R-Calif.):

Thank you. I think it's important for all of us to understand that the future is here. The threat is here, is not an academic conversation. So for America to tread water means you fall behind and I think that's why it's important that we have hearings like this. With that, I yield back.

Rep. Andy Ogles (R-Tenn.):

The gentleman yields back. I recognize the gentleman from Rhode Island, Mr. Magaziner, for five minutes.

Rep. Seth Magaziner (D-R.I.):

Thank you. On the topic of needing to stay ahead of China in the AI race, inevitably we keep coming back to the topic of why are we allowing the sale of advanced AI chips to China to help power their AI, which can be used to attack us. And so for over a year now, every cybersecurity panel that's come before this subcommittee I've asked, "Does anyone here think it is a good idea for the administration, the Trump administration to be allowing the sale of these advanced chips to China? And if so, why?" Every single expert panel we've had in front of us, no one has said yes, they think it's a good idea, not one person.

And not only has no panelists said that it's a good idea, but no member on either side of the aisle. In fact, I know that I think every member, if not most members, think that this is incredibly dangerous and we are not powerless in this. There is legislation, Republican led legislation to stop the sale of these chips that has already passed out of committee, but has languished and hasn't made it to the House floor. We should take matters into our own hands. We should discharge it. We should do something because nobody thinks this is a good idea from a cybersecurity point of view. Going back to the issue of having a federal government role in vetting frontier AI products before they are released to the market, whether you believe that it should be voluntary participation or mandatory participation, one question I think we need to answer is where would this function sit?

So my understanding is that under the executive order, treasury is the primary nexus of this vetting function with input from other agencies. I think there's legislation, draft legislation that's been floating around Congress. I've heard that would place it at commerce. Chairman McCall yesterday when we had Secretary Mullen in I think reminded everybody that when CISA was first created, this was the type of role in a less advanced context that CISA was envisioned to play. So I welcome feedback from everybody because we got to get this right, whether it's voluntary or mandatory for AI developers to participate in this sort of a vetting process before a product is released, where should that functions sit and who should be involved in making sure that it's successful. I'll open that up to anybody.

Chris Meserole:

I think one thing that I would say is one of the things that we really encourage and have encouraged even a year ago in response to an RFI about the development of the AI action plan that the administration put together was that there would need to be sophisticated expertise on evaluation and testing within government. We were pleased to see last year that the Center for AI Standards and Innovations was kind of empowered to do a lot of that testing. I think to the extent that there needs to be greater public private partnerships in the development of this technology and assessments of the safety and security of these systems, I think the thing that I would underscore is that it is hard to do that without relevant expertise. And I think we've really welcomed the expertise that the CAISI has developed over the, since it was created.

Rep. Seth Magaziner (D-R.I.):

All right, thank you. Again, just sort of thinking in terms of next steps, building off of the executive order, are there any other ideas or insights for things that we ought to do in order to make this successful so that as these products come to market, there's appropriate consumer safety and an ability for defenders to defend themselves before the attackers are able to exploit their vulnerabilities.

Jack Cable:

Thank you, Congressman. I would say that where I would like to see more is to move beyond just this element of identifying and one-off fixes of vulnerabilities. That's what has often been the predominant strategy is very necessary to do so, right? But at the scale we are operating, mentioned anthropic reporting 1,500 vulnerabilities via mythos, only 6% of those being fixed. I would argue that's not enough and I think we have to be thinking bigger about how we can enable these large scale remediation campaigns, refactoring software systems. It will take time and money, but it is also the sort of thing that AI systems can help us with. I think those are the sort of actions as well as preventing vulnerabilities at scale as new software is being built with AI coding tools that are ultimately necessary and will allow us to upscale the security of our systems.

Rep. Seth Magaziner (D-R.I.):

Thank you. I'll just close by saying that I'm glad that Mythos has scared at least some people in the administration enough to take the issue of AI safety seriously. I think the hands-off approach from the last year was a mistake and now in a thoughtful, collaborative way with industry, it's time for us as a federal government to take our job seriously when it comes to protecting the American people. So I yield back.

Rep. Andy Ogles (R-Tenn.):

The gentleman yields back. I kind of want to piggyback on where you're going with this. When I think about China and the threat that China poses, when you think of a tool like Mythos, in the event, whether it's to impact an election, to have adverse effect on our economy, perhaps China's looking to do something in the Pacific, how real is the threat to our critical infrastructure like energy, like water, that they could start flipping switches to create that internal chaos so that they can, whatever their goal or desired outcome might be? Anyone?

Sandra Joyce:

I think the threat is something that we have seen already present for many years. We know that the threat is there. With AI models in particular, we've also seen that type of innovation not just from threat actors in the China, North Korea, Iran, and others, but we're also seeing it with cyber criminals as well. So often the threat from nation states is more on reconnaissance, although in the case of old typhoon, there's something a lot more concerning there. But what cyber criminals bring to the table is a lot more of sloppiness, a lot more recklessness in order to do things that are financially motivated. For example, we have seen them extort, do ransomware and with the latest report that we put out, we have seen them taking steps to even create their own harnesses and create an exploit using AI. So we know that they're making a lot of progress and we know that nation states are posing these threats today.

It's something that we see every single day.

Rep. Andy Ogles (R-Tenn.):

Anyone else want to chime in?

Jack Cable:

I would just agree with that in that we've already seen adversaries exploiting these systems through campaigns like Volt Typhoon, Salt Typhoon before AI. And we know that adversaries are leveraging AI to accelerate every step of these attacks. So to me, that is all the more reason to double down on defense. I think the best approach here is for defenders to deploy AI systems and shore up some of the foundational oftentimes relatively basic vulnerabilities that our adversaries are exploiting.

Rep. Andy Ogles (R-Tenn.):

Going back to the profit motive, obviously you talk about the sophistication of the models themselves and it doesn't have to be the latest and greatest to be effective. So what's the threat environment for the jailbroken versions of AI that are out there? I think any one of us with a little technical know- how can download and put on a laptop in a matter of seven, 10 minutes.

Sandra Joyce:

Well, what we have observed in the underground or what some people call the dark web is a whole marketplace of advertising for so- called jailbreaked bots of different kinds. Something as low as $99 a month you can go and get that. Now some of those are not true. Some of those are just criminals not being honest, which is not a surprise to anybody. But what we're also seeing is a lot more advancement with cyber criminals. They're doing things that are creating zero days. They're taking advantage of supply chain risks, cryptocurrency. So we're seeing a real vast marketplace of criminal enterprises both with scams and with other elements so much so that in my group, we have started a disruption unit, and what we have been doing is operationalizing the intelligence that we have in order to take down and create coordinated disruption of a lot of these different infrastructure. So for example, in January, Google's disruption unit took down something called the IP IDEA Residential Proxy Network and in doing so disrupted over 500 threat actors that were using this infrastructure to do the malicious distillation that we were talking about, but also to obscure where they're coming from to carry out their schemes. So we need to be thinking about, yes, intelligence sharing, but we need to go even further than that and start to have a purpose for that intel sharing and do more disruption work active defense in this area.

Rep. Andy Ogles (R-Tenn.):

On the idea of disruption, Dr. Meserole, I think you mentioned antitrust regulation. Is that a concern for any of you when you look at this marketplace of crossing and violating some sort of antitrust current law or there reforms that need to be made in order that we can be more aggressive in protecting our country, quite frankly?

Chris Meserole:

I already alluded to this briefly, but under current antitrust guidance, I would say there's a lack of clarity about what actually can be done to the point again that we have not had conversations about how to counter what is happening. I think having a much clearer sense of what can and can't be done would be useful.

Rep. Andy Ogles (R-Tenn.):

Something to, if any of you have ideas to report back and give to committee, you can send them to me. I would love to, when we look at the regulatory reform or lack thereof or the clarity, lack thereof, there's things that we need to be doing in anticipation of what the marketplace is going to need. We are all ears. That's the purpose of this hearing today is to figure out what have we gotten wrong and what do we need to do better going forward. So any of you that have that type of input, please forward it to me as soon as you can get it ready. With that, I recognize the ranking member, Mr. Ramirez, for five minutes.

Rep. Delia Ramirez (D-Ill.):

Actually don't have any other questions at this moment, but I really do appreciate the follow-ups that you just asked for. Thank you.

Rep. Andy Ogles (R-Tenn.):

Yes, ma'am. Well, with that, we are nearing the end. I guess we'll just go down the line. We'll start on this end since we've been picking on Ms. Joyce the entire hearing and just kind of closer remarks. Anything that we missed that you want to kind of double down on, Mr. Gauriglia?

Dr. Matthew Guariglia:

I think just the one thing that hasn't come up yet that I mentioned in my opening remarks is the US government's own finding and exploitation of zero days and thinking about the integrity of American critical infrastructure as being undermined by the government's also their desire to collect as much data as possible and to keep those vulnerabilities open for the purposes of exploiting for future surveillance. And so thinking about how the NSA and the intelligence agencies own desires to spy on Americans often undermines our own critical infrastructure.

Rep. Andy Ogles (R-Tenn.):

And if you have any thoughts that you'd like to forward on those types of concerns, 702, again, thinking forward, last thing we want to do is create Skynet or an observation tool that suddenly gets away from us, but I do appreciate your input, sir. Mr. Cable?

Jack Cable:

Thank you, chairman and ranking member for the opportunity to testify today. As I mentioned, I believe that we need to get ahead of these issues so that each model released doesn't create an emergency. And I believe that we can do that by putting in place these foundational defenses across our critical infrastructure or across the software products that we rely on across open source software and the foundational ecosystem that that is. And I believe we can use AI for these missions to prevent vulnerabilities in new code going forward by putting in place guardrails and to refactor existing code bases to root out entire classes of vulnerabilities. So I would encourage the committee to focus on how we can get ahead of these issues and I'm happy to work with you to do so.

Rep. Andy Ogles (R-Tenn.):

Dr. Meserole.

Chris Meserole:

I think one thing I would underscore, which I also alluded to in my opening testimony was just that the trendline here is pretty unmistakable. I think one of the reasons why I think we need to strengthen our public-private partnerships and information sharing mechanisms is so that when new capabilities come online, it is not coming as a surprise to the policy community. This is probably the current moment, I would say, is the third time this has happened in the last three or four years where the first one being the GPT moment, the second being the DeepSeq moment a year or so ago. And then now with Methos and GPT 5.5, what concerns me is that to the expert community that is working on these issues, none of those things came as a surprise. And so I think we need to develop, again, much closer and more tightly-knit information sharing mechanisms and public-private partnerships to ensure that the policy community and others are getting the information they need and understanding it ahead of the moment as opposed to in response to it.

Rep. Andy Ogles (R-Tenn.):

Well, and to that point, AI is advancing so quickly and let's be honest, Congress tends to move quite slowly. So I would agree with you wholeheartedly that we've got to increase the speed at which we're communicating so that we can react and it doesn't become an emergency every time we have a new release. Ms. Joyce, final word.

Sandra Joyce:

I think we have said that this technology at AI is too important to not regulate and it's too important to not regulate well. So Google stands by to be a useful and dependable partner in this space as we support American leadership in these critical technologies.

Rep. Andy Ogles (R-Tenn.):

I want to thank all the witnesses for their testimony and members for their questions. So members of the civil committee may have some additional questions for the witnesses and would ask and I would ask that the witnesses respond to these in writing pursuant to committee rule 7E. The hearing record will be open for 10 days. Without objection, this subcommittee stands adjourned.