With artificial intelligence driving faster vulnerability detection but also quicker hacking, the United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive requiring federal civilian agencies to fix critical bugs within just three days.

This 'binding operational directive' prioritizes addressing high-risk vulnerabilities swiftly while allowing more time for lower-urgency issues. CISA’s Chris Butera highlighted that defenders must act rapidly, as attackers can now autonomously exploit systems en masse with minimal delay.

The new criteria for assessing patch urgency includes public exposure of the system, listing in CISA's Known Exploited Vulnerabilities Catalog, and ease of automation by an attacker. A vulnerability meeting all these conditions must be fixed within three days, according to the directive. Agencies are also required to conduct a ‘forensic triage’ process to check if systems have been compromised.

Despite this push for swifter patching, some experts argue that architectural and systemic changes in software development may be necessary. Emily Long of Edera Cloud Security contends that architecture must limit an attacker's reach post-breach, suggesting that while patching is crucial, more fundamental approaches are needed to truly secure systems.