On June 22, the leaders of the cybersecurity agencies in Australia, Canada, New Zealand, the UK, and the U.S. issued a joint statement calling for an “urgent” focus on cyber resilience in anticipation of “frontier AI models . . . exceed[ing] current industry expectations” and “fundamentally transforming both offensive and defensive cyber capabilities” within a timeline of “months.”  The frontier AI models referenced in the statement are the latest generation of advanced AI models that are capable of identifying and exploiting security vulnerabilities, which may result in an increased cadence of cybersecurity intrusions and data loss.  In light of the growing capabilities of these models, the statement encourages organizations to avoid treating cyber risk “as a purely technical issue” or an “IT issue” and instead take a “whole-of-organization” approach to cyber resilience that treats it as a “core business risk and leadership responsibility” that is “central to operational continuity and market trust.”  The statement also proposes several “urgent” practical actions that organizations can take to reduce risk, many of which were also discussed in our recent client alert regarding key considerations for lawyers addressing cyber risks posed by frontier models. 

In light of the anticipated “rapid” shift in the cyber risk landscape, the statement cautions that “cyber risk assumptions,” which can underpin organizations’ cybersecurity approaches, “can become outdated in months, not years.”  The statement encourages organizations looking to protect against evolving risks to “integrat[e] cyber security into core business strategy” and consider opportunities to integrate AI into security operations to detect vulnerabilities, improve software quality, monitor for unusual behavior on networks, and respond more quickly to incidents.  Notably, the statement anticipates that while “[b]reaches will occur,” it emphasizes that preparedness is key and “[b]oards and executives should ensure cyber resilience is in place and works under pressure.”

The statement also encourages organizations to implement the following foundational security practices, noting that even if they are “not new,” their implementation is “urgent” to reduce risk: 

  1. Reduce attack surface by limiting unnecessary system access and external connectivity.
  • Accelerate patching processes to address the ways that AI is shortening the time between vulnerability discovery and exploitation, including prioritizing security updates to manage risk.
  • Address legacy systems that are no longer supported with security updates, which are easier targets.  
  • Review and strengthen identity and access controls to limit who can access critical systems and regularly review permissions.
  • Prepare for incidents before they happen, including by testing response plans, training and preparing teams, and focusing on fast containment and recovery on the assumption that beaches will occur.

Tags: Artificial Intelligence, Cybersecurity
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel…

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel in criminal, civil, and internal investigations involving cybersecurity, insider risk, and U.S. national security issues.

Ashden regularly counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Ashden also assists clients from across industries with leading internal investigations and responding to government inquiries related to U.S. national security and insider risks. He frequently represents government contractors in False Claims Act matters involving cybersecurity and national security. Additionally, he advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden FeinEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less
Photo of Jim Garland Jim Garland

Jim Garland’s practice focuses on government investigations and enforcement matters, litigation, and cybersecurity. Recognized by Chambers USA as a leading practitioner in both the white collar and cybersecurity categories, Jim draws upon his experience as a former senior Justice Department official to advise…

Jim Garland’s practice focuses on government investigations and enforcement matters, litigation, and cybersecurity. Recognized by Chambers USA as a leading practitioner in both the white collar and cybersecurity categories, Jim draws upon his experience as a former senior Justice Department official to advise clients on sensitive, multidimensional disputes and investigations, often with national security implications. He previously served as co-chair of Covington’s “Band 1”-ranked White Collar and Investigations Practice Group and currently is a member of the firm’s Management and Executive Committees.

Jim regularly represents corporate and individual clients in government investigations and enforcement actions. He has successfully handled matters involving allegations of economic espionage, theft of trade secrets, terrorism-financing, sanctions and export control violations, money laundering, foreign bribery, public corruption, fraud, and obstruction of justice. He has particular expertise advising clients in connection with investigations and disputes involving electronic surveillance and law enforcement access to digital evidence.

Jim has substantial experience litigating high-stakes, multidimensional disputes for clients across a range of industries, including companies in the high-tech, financial services, defense, transportation, media and entertainment, and life sciences sectors. Many of his civil representations have substantial cross-border dimensions or involve parallel government enforcement proceedings in multiple forums.

In conjunction with his investigations and litigation practice, Jim regularly assists clients with cybersecurity preparedness and incident-response matters. He helps clients in assessing security controls and in developing policies and procedures for the protection of sensitive corporate data. He also regularly assists companies in responding to significant cybersecurity incidents, including in connection with criminal and state-sponsored attacks targeting customer and employee data, financial information, and trade secrets.

From 2009 to 2010, Jim served as Deputy Chief of Staff and Counselor to Attorney General Eric Holder at the U.S. Department of Justice. In that role, he advised the Attorney General on a range of enforcement issues, with an emphasis on criminal, cybersecurity, and surveillance matters.

Read more about Jim GarlandEmail
Show more Show less
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Read more about Micaela McMurroughEmail
Show more Show less
Photo of Ali Cooper-Ponte Ali Cooper-Ponte

Ali Cooper-Ponte draws on her experience at the U.S. Department of Justice to advise clients on complex and sensitive national security, cybersecurity, and online safety matters across regulatory, investigations, enforcement, and litigation contexts.

In her investigations and litigation practice, Ali guides clients through…

Ali Cooper-Ponte draws on her experience at the U.S. Department of Justice to advise clients on complex and sensitive national security, cybersecurity, and online safety matters across regulatory, investigations, enforcement, and litigation contexts.

In her investigations and litigation practice, Ali guides clients through both internal and government investigations. She helps clients across industries navigate significant enterprise risks, including insider, criminal, and advanced persistent or nation-state threats, as well as challenges relating to emerging technologies. She has also helped clients proactively engage with or respond to inquiries by the U.S. Department of Justice, state Attorneys General, and the Federal Trade Commission.

In her advisory practice, Ali helps clients strategically manage rapidly-changing regulatory and technological landscapes. She counsels clients on compliance with national security, cybersecurity, data privacy, content moderation, and child exploitation laws. She has particular expertise on issues relating to government access to data, including the Electronic Communications Privacy Act and the Foreign Intelligence Surveillance Act and the Fourth Amendment. She also has significant experience with new Federal and state laws implicating Section 230 of the Communications Decency Act and the First Amendment. Here, her experience spans industries (including the technology, healthcare, cryptocurrency and financial services, and aerospace and defense industries) and includes providing practical advice on new legislation, regulatory frameworks, and court rulings as well as developing legislative proposals and potential challenges to new legislation and government action.

Previously, Ali served in the U.S. Department of Justice as Senior Counsel in the Office of the Assistant Attorney General for the Criminal Division, where she focused on the cyber and child exploitation portfolios, and as a Trial Attorney in the National Security Division’s National Security Cyber Section and the Criminal Division’s Computer Crime and Intellectual Property Section. She joined the Justice Department as part of its inaugural class of Cyber Fellows, which gave her broad exposure to the Department’s work to address cyber and cyber-enabled threats.

Earlier in her career, Ali clerked for Judge José A. Cabranes on the U.S. Court of Appeals for the Second Circuit. Prior to law school, Ali worked as a legal investigations specialist focused on electronic surveillance and law enforcement access issues at a large technology company.

In addition to her regular practice, Ali leverages her experience to counsel pro bono clients engaged in work to protect children and civil liberties.

Read more about Ali Cooper-PonteEmail
Show more Show less