The U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection held a hearing examining how frontier AI models, agentic AI systems, and AI-powered coding tools are reshaping cybersecurity and critical infrastructure resilience. Lawmakers and witnesses explored the technologies’ dual role in strengthening cyber defenses while also enabling more sophisticated and scalable cyber threats.
Witnesses included Sandra Joyce, vice president of Google Threat Intelligence at Google, Chris Meserole, executive director of the Frontier Model Forum, Jack Cable, chief executive officer and co-founder of Corridor Security, and Matthew Guariglia, senior policy analyst at the Electronic Frontier Foundation. Together, the witnesses represented perspectives from threat intelligence, frontier AI governance, cybersecurity research, and digital rights policy.
In his opening statement, Andy Ogles, a Tennessee Republican and Subcommittee chairman, detailed “examining how artificial intelligence is changing the foundations of cybersecurity and the security of our critical infrastructure. This Committee has taken these threats and risks seriously for months. We have held roundtables, hearings, and briefings with the leading AI laboratories and cyber companies in the country, and we have opened a joint investigation with the Select Committee on China into the proliferation of Chinese AI models.”
Held after President Donald Trump signed an executive order last week directing the Secretaries of the Treasury, Homeland Security, and War to develop a classified benchmarking process for advanced AI cyber capabilities and design a voluntary framework for early government access to covered frontier models.
“The President is right to act. These models are already reshaping the threat landscape, and the federal government cannot be the last to understand what they can do,” Ogles said. “I want to be clear that this Subcommittee intends to watch closely how CISA carries out its responsibilities under that framework. CISA has statutory authorities under the Cybersecurity Information Sharing Act of 2015, operates the Known Exploited Vulnerabilities catalog, and serves as the lead civilian agency for critical infrastructure cybersecurity. How CISA fulfills its role under this order, especially in translating early model access into practical guidance and vulnerability remediation for critical infrastructure operators, will be a central oversight question for this Subcommittee in the months ahead.”
To understand why that matters, Ogles said to consider what these models can now do. “Until recently, finding a serious unknown flaw in widely used software took skilled researchers months of painstaking work. Frontier AI models are collapsing that timeline. We now have models that can discover and exploit previously unknown vulnerabilities on their own, at machine speed, across the systems that run nearly everything in our economy. The most advanced of these models was judged too dangerous to release publicly, so it was shared with roughly fifty large companies to help them find and fix flaws before our adversaries could.”
Ogles warned that the growing availability of low-cost, capable Chinese AI models could drive their adoption across global markets. He argued that developers and companies in the United States, Europe, South America, Asia, and Africa are already making choices about which AI foundations to build upon, and cautioned that inaction could allow Chinese models to become the default platform of the global digital economy.
According to Ogles, such an outcome could embed censorship concerns, introduce security uncertainties, and spread capabilities derived from Western research without the safety guardrails developed by their original creators.
“We cannot let the world grow dependent on Chinese AI the way it grew dependent on other Chinese technologies; we are now scrambling to address,” he further highlighted. “The United States needs a serious strategy to ensure capable American models, especially open-weight models that developers, companies, and governments can deploy and adapt, are a real alternative.”
Finally, he said, “I want to name the issues practitioners care about, because getting them right is how we secure the country. More of our software is now written by AI, faster than human reviewers can keep up, which makes secure-by-design practices where security is built in from the first line of code more important than ever. It makes AI coding tools a real concern when those tools are built on foreign models we cannot fully vet. And it makes agentic AI, software that plans and acts on its own across our networks, an entirely new attack surface our defenses were never built to withstand.”
Joyce outlined in her testimony that for critical infrastructure operators and public sector networks, defense-at-scale requires an automated mechanism that shifts focus away from mere bug hunting and toward comprehensive environmental exposure management.
“Google’s software and AI development pipeline relies on advanced threat modeling to proactively identify emerging threat trends and systemic risks, and to explicitly design our products for inherent safety,” she said. “Rather than treating security as an afterthought, we continuously enhance safeguards inside our active products to offer scaled, adaptive protections to enterprise users and critical infrastructure operators across the globe.”
Google is advancing an always-on autonomous cyber defense model built around four continuous phases: Prepare, Scan & Prioritize, Remediate, and Monitor. The framework is designed to reduce reliance on reactive incident response by using AI-driven simulation agents to map attack paths, identify reachable vulnerabilities, validate risk using operational context, and prioritize the exposures that pose the greatest threat to critical systems.
The approach extends beyond detection to machine-speed remediation and continuous monitoring. Autonomous security agents can generate and apply code fixes, while agentic SOC capabilities automate the detection, investigation, and response to emerging threats across networks, identities, and applications. By linking real-world exposure analysis with intelligent patching and runtime defense, Google aims to create a continuous cyber resilience loop capable of keeping pace with the growing scale and speed of AI-driven attacks.
Clearly, cybersecurity has never been an environment where absolute perfection is possible. It will remain a fiercely contested, highly dynamic domain for years to come, demanding continuous innovation, speed, and structural agility to defeat adaptive adversaries.
“As this Committee looks to secure our homeland and fortify the digital architecture supporting American critical infrastructure, Google stands ready to serve as a committed, transparent partner,” Joyce said. “By combining public-sector authority with private-sector technical innovation, we can harness the immense potential of artificial intelligence to tip the scales of cybersecurity permanently in favor of the defender.”
Meserole focused on three main points. “The first is that the advanced cyber capabilities of today’s frontier models follow a longstanding trendline and do not represent an unexpected jump in capability. The second is that the advanced cyber capabilities of today’s models pose credible risks to cybersecurity and critical infrastructure, especially given the rise of adversarial distillation. Finally, the last point I’ll make is that there is a great deal we can do to manage those risks, particularly when it comes to leveraging AI for cyberdefense, advancing cyber practices and standards, and building on existing information-sharing mechanisms and infrastructure.”
He observed that advanced AI models are increasingly capable of identifying and exploiting software vulnerabilities, creating both opportunities for defenders and new risks for attackers. Hackers linked to China, Iran, Russia, and North Korea are already using frontier AI models across the cyber attack lifecycle, while cybercriminals leverage AI-generated tools, including ransomware. As AI lowers the skill and cost barriers for offensive cyber operations, smaller and under-resourced critical infrastructure operators in sectors such as water, energy, healthcare, and local government could face heightened exposure to attacks.
“The threat to cybersecurity and critical infrastructure is twofold. The first is obvious: if left unchecked, foreign rivals can leverage adversarial distillation to accelerate their own domestic AI capabilities, which state-linked actors can then use to target the United States,” according to Meserole. “The second is less straightforward: when adversarially distilled models are openly released, malicious actors of all kinds are able to leverage their capabilities for misuse without worrying about safeguards disrupting their efforts. Any effort to secure U.S. critical infrastructure will be ineffective without a parallel effort to address adversarial distillation.”
The testimony argued that the most effective response to AI-enabled cyber threats is to ensure defenders can harness advanced AI capabilities before attackers do. Frontier AI systems can accelerate vulnerability discovery and remediation, improve threat detection and incident response, and support more secure software development, including modernization of legacy systems. The witness highlighted initiatives from leading AI developers that provide trusted cybersecurity practitioners with early access to advanced capabilities to strengthen cyber resilience.
Beyond defensive applications, the testimony emphasized the need for stronger information sharing, updated cybersecurity standards, and more rigorous evaluation frameworks for frontier AI systems. Rather than creating new institutions, policymakers were urged to build on existing information-sharing channels, cybersecurity practices, and risk management frameworks while advancing standards for AI agents and developing more realistic benchmarks to measure cyber capabilities. Together, these efforts were presented as essential to managing emerging AI risks while strengthening the security of critical infrastructure and broader cybersecurity ecosystem.
In conclusion, Meserole said that the latest generation of frontier AI models and agents demonstrated impressive cyber capabilities, with significant implications for US cybersecurity and critical infrastructure resilience. “Yet those capabilities are not unexpected: they are the continuation of a trend that has been visible for several years and that is likely to continue in the years ahead. Addressing the risks posed by those capabilities will be challenging, but fortunately, we have a strong foundation to start from.”
He added that building on existing information-sharing channels, strengthening established cybersecurity practices and frameworks, expanding AI use for cyber defense, and investing in advanced cyber evaluation capabilities could improve the resilience of U.S. cybersecurity and critical infrastructure.
Assessing that the challenge is especially acute for open source software, since it’s a public good, Cable said that open source software underpins every software service we rely upon, including across critical infrastructure and the federal government.
He urged Congress to strengthen the open source software ecosystem that underpins both critical infrastructure and federal systems, warning that these widely used projects could become prime targets as adversaries gain access to increasingly capable frontier AI models. Rather than relying on isolated fixes, he called for a multi-billion-dollar nonprofit initiative dedicated to the long-term maintenance, security-focused modernization, and refactoring of critical open source components, including support for project forks and the recruitment of new maintainers where necessary.
Cable also encouraged lawmakers to pass the Securing Open Source Software Act, which would expand CISA’s ability to engage with the open source community and establish foundational open source security expertise within the federal government.
In his testimony, Guariglia identified that the use of a niche model for a specific purpose, such as improving accessibility on a website for the vision-impaired or models tasked specifically with finding vulnerabilities in critical infrastructure, poses less risk to privacy and civil liberties.
“Security experts—both attackers and defenders—search for software vulnerabilities. Attackers do so to exploit them. Defenders do so to fix them so they cannot be exploited in the future. In intelligence and security operations, government acts, at different times, as an attacker and a defender,” Guariglia said. “In espionage, government sometimes exploits vulnerabilities to gain access and extract information. At the same time, government acts to protect its own citizens and critical infrastructure from attackers.”
Last month, the U.S. House Committee on Homeland Security and the House Select Committee on China launched joint investigation into national security and cybersecurity risks tied to increased use of AI models developed in China, including low-cost, open-weight, and API-accessible systems, such as DeepSeek, Alibaba, Moonshot AI, and MiniMax. Lawmakers are examining concerns that some China-based AI providers may be distilling capabilities from leading U.S. models without authorization and repackaging them into cheaper systems that may lack equivalent safety controls, before making them available to American users and organizations.
