Executive Order 14409 turns the joint US UK Canada Australia New Zealand warning into a federal AI cyber coordination hub, binding 30 day security directives, and access to the most capable AI systems for critical infrastructure operators.
The Five Eyes' warning that AI-powered cyberattacks are now a "months, not years" problem is no longer just an alarm. It is a deadline the US government has already started running against.
When the cyber agencies of the United States, United Kingdom, Canada, Australia, and New Zealand published their joint statement this month, the most concrete sentence was not the dramatic one. It was the structural one: AI is "already here" as a cyber threat, and boards and executives need to treat it as a "core business risk and leadership responsibility" today (Five Eyes joint statement). The same statement listed five immediate actions: reduce attack surface, accelerate patching, address legacy systems, review identity and access controls, and prepare for incidents. They read less like advice and more like an audit checklist.
Washington's response is where the "months" timeline stops being rhetorical. Executive Order 14409, "Promoting Advanced AI Innovation and Security," turns the warning into a 30-day clock (Executive Order 14409). Inside that window, the Cybersecurity and Infrastructure Security Agency (CISA) must issue Binding Operational Directives for civilian federal systems, the National Security Agency (NSA) and the War Department must prioritize cyber defense of national-security and Department of War networks, and Treasury, CISA, and NSA must stand up an AI cybersecurity clearinghouse that coordinates vulnerability scanning, validation, and patching for federal, state, local, and critical-infrastructure operators. The Office of Management and Budget has 60 days to identify grant funding that can be steered toward advanced AI vulnerability detection. The order also directs the clearinghouse to facilitate access to "covered frontier models," a term that, in context, points to the most capable AI systems, including those whose cyber capabilities the government has previously restricted.
That last provision matters because it is the policy bridge to the model the warning is implicitly about. Anthropic's "Mythos," a frontier AI system the company has withheld in full because of its cyber capabilities, is the recurring concrete example in this reporting cycle. CNBC and the AP reported that a US official said Mythos found vulnerabilities in classified US government systems (CNBC/AP report). Separately, cybersecurity trade press, citing The Economist, reported that the NSA director told a US senator the model "broke into almost all of our classified systems, not in weeks, but in hours" (Cybersecurity News report), a striking claim whose exact wording should be checked against the original Economist piece before being treated as a direct quotation. Anthropic has since released a Mythos-like model without the cyber capabilities (Bloomberg) and is expanding access through "Project Glasswing" to roughly 150 organizations across more than 15 countries, targeting critical-infrastructure operators (TechCrunch).
The shift the Five Eyes statement and the executive order together describe is what cybersecurity practitioners have started calling the move from human-led research to machine-scale operations on both sides of the offense-defense line (Radware analysis). When a single model can sweep a classified network in hours, the bottleneck stops being attacker skill and becomes operator patching speed, identity hygiene, and access to the same kind of frontier tooling. That is why the clearinghouse and the binding directives matter more than the warning itself: they are the federal attempt to put defenders on the same clock as the threat.
The honest limit is that the policy is still mostly on paper. A clearinghouse that coordinates vulnerability scanning, validation, and patching, and that brokers access to frontier AI models for state, local, and critical-infrastructure operators, is only as protective as the operators it actually reaches. The Five Eyes statement does not name threat actors or specific incidents, and the EO's 30-day BOD deadline is for federal civilian systems first. The rest of the response rides on whether critical-infrastructure operators outside the federal perimeter can operationalize the same access in time. The "months" clock is running for them too.
What to watch next: whether CISA's binding directives, due inside 30 days, name concrete deadlines for state and critical-infrastructure operators; whether the clearinghouse publishes a covered-model access mechanism that private operators can actually use; and whether the OMB grant determinations inside 60 days steer funding toward AI-assisted vulnerability discovery at the operator level rather than only at federal agencies.