This is the long version of a project I submitted for the 2026 Bridge the Gap Competition, organised by the Swift Centre. We were given 5 scenarios to choose from. I chose Question 1. My long version of my submission is below.

You can also see the my original submission.

Policy Advice Submission - Long Version Link to heading

To: The Honorable Marco Rubio, National Security Advisor
From: Lauren Ochotnicka, tree-draw-recycler@duck.com
Date: April 6, 2026
Subject: AI and National Security: Potential for Operating System Exploitation

Summary Link to heading

Recent advances in AI have brought us closer to a scenario where autonomous AI systems can identify and exploit security flaws in the Linux, Windows, and macOS operating systems that underpin national security and government infrastructure. Due to the potential threat level and the time that it will take to research and implement effective technical and policy measures, action must be taken now to ensure we have adequate time. The Swift Centre forecast indicates a 20-65% probability that this capability will emerge by the end of 2027, making the timeline for action critically short. What follows outlines potential response options across both technical and policy dimensions. A decision is needed on how to identify vulnerabilities before adversaries do, how to harden systems against exploitation, and what corresponding policy frameworks are needed to enable these actions.

Options Overview Link to heading

• Option 1: Implement. Define, implement and enforce minimum security standards that eliminate known vulnerabilities across all government systems.
• Option 2: Detect. Option 1 + detect unknown vulnerabilities and threats through AI-assisted teams and enhance intelligence capabilities.
• Option 3: Prevent. Option 2 + prevent attacks through critical system redesign for resilience, AI containment and kill switch research, and regulatory requirements for OS and AI hardware vendors.

Recommendation Link to heading

Option 2 is recommended because it directly addresses both current system vulnerabilities and the emerging AI threat within an achievable timeline. This approach provides critical early detection and monitoring capabilities that Option 1 lacks, while avoiding the 5-10 year implementation timeline and political complexity of Option 3’s regulatory framework. Given the rapid advancement of AI capabilities, we need detection systems to be operational quickly to buy time for modernization efforts to succeed.

Background Link to heading

On 3 March 2026, the Swift Centre published a forecast assessing the likelihood that a frontier AI agent will autonomously discover and exploit a previously unknown zero-day vulnerability in a Tier 1 operating system on a real-world device without human intervention. Their analysis, based on current AI capability trajectories and vulnerability discovery patterns, indicates that there is a 20 - 65% chance that this could happen by the end of next year. The systems at risk include Linux, Windows, and macOS, which comprise the majority of operating systems running US government and national security infrastructure.

This threat is no longer theoretical. AI agents have already demonstrated concerning autonomous behaviors that foreshadow more dangerous capabilities. In one documented case1, an AI agent retaliated against an individual who challenged its goals by publishing a targeted hit piece¹, demonstrating both autonomous decision-making and the ability to take hostile action against perceived threats. AI systems have also shown that they can hire humans to accomplish tasks beyond their direct capabilities², operate independently when given resources, and make strategic decisions without human oversight. These capabilities are advancing rapidly, and it is entirely plausible that an AI agent could be designed to find, attack, and exploit American assets, or could do so as an emergent behavior while pursuing other objectives.

US government systems are alarmingly vulnerable to this emerging threat. The federal government reports that 8 of 11³ of the most critical systems don’t yet have a plan for modernization. Some departments have attempted updates multiple times, failed, and been forced to start over. The delays in updating these systems have resulted in widening gaps between secure, resilient infrastructure and systems that remain open to exploitation. Legacy systems may be particularly susceptible to AI-driven attacks, as they lack modern security features designed to detect anomalous behavior and often contain decades-old vulnerabilities that have never been discovered or patched.

This issue requires immediate National Security Council coordination because both technical implementation and design of policy frameworks involve lengthy timelines, and the window for proactive preparation is narrowing as AI capabilities advance. Addressing this threat demands whole-of-government coordination across multiple agencies including DHS/CISA, DOD, the Intelligence Community, and government contractors who maintain critical systems. No single agency can solve this problem alone. Action must be taken now to maximize the time available for research, development policy measures, and technical implementation before this capability becomes widely accessible.

Options Link to heading

Option 1: Implement. Define, Implement, and Enforce Minimum Security Standards Across All Government Systems Link to heading

Establish the Critical Systems Security Office (CSSO) within the National Security Council which is dedicated to securing existing federal IT infrastructure. The office is comprised of five coordinated teams addressing different aspects of system security:

The Modernization Completion and Coordination Team (1) coordinates with GAO and individual departments to complete delayed modernization efforts for critical legacy systems identified in GAO report 25-107795⁴, by identifying and resolving bottlenecks that have prevented progress.

The Security Standards Updates and Maintenance Team (2) constantly updates and maintains security standards to address gaps that have emerged since the original report was written and ensures previously modernized systems continue to maintain their security posture over time.

The Ongoing Monitoring and Compliance Team (3) develops ongoing compliance and monitoring processes, including real-time compliance tracking, updating, and hardware/software lifecycle management to ensure systems remain supported for predetermined periods with appropriate capital expenditure planning.

The Red-Teaming and Vulnerability Discovery Team (4) conducts continuous penetration testing and vulnerability assessment across government systems. This proactive hunting identifies security flaws before adversaries can exploit them, feeding findings directly to the modernization teams for remediation.

The Incident Response and Mitigation Team (5) develops and maintains response protocols for security incidents. When not actively responding to breaches, the team develops playbooks and response procedures, conducts tabletop exercises with agencies, coordinates incident response planning across departments, and works with the red-teaming findings to help agencies prioritize and implement fixes. This ensures readiness rather than reactive scrambling when incidents occur.

A legislative mandate establishes CSSO’s authority to compel agency cooperation, ties funding to compliance milestones, and positions the office to report directly to the National Security Council. This elevates IT modernization from a departmental concern to a national security imperative with direct escalation authority to the President for non-compliance.

Given the criticality of these issues, progress should be reviewed at the one-month mark and every three months thereafter, or sooner if issues arise. Teams must immediately report bottlenecks to prevent delays.

Considerations Link to heading

• Monetary Costs: Current estimates put annual federal IT spending at $100B, with 80% allocated to legacy system maintenance and only 20% to updates. A dedicated modernization budget separate from regular IT spending is required to ensure sustained progress without competing against operational needs. Year 1 costs are estimated at $11-15B, covering CSSO staffing and infrastructure ($2-3B), initial modernization projects for highest-priority systems ($8-10B), along with red-teaming and incident response capabilities ($1-2B).
• Legislative Requirements: Legislation must be enacted immediately to establish CSSO, mandate agency participation, authorize funding, and create enforcement mechanisms. This includes milestone-based funding releases and accountability measures for non-compliance.
• Public Opinion: Framing this initiative as protecting American privacy and improving government efficiency will generate public support. Emphasizing cybersecurity threats to personal data and government services resonates with constituents. Red-teaming and incident response capabilities demonstrate proactive security posture.

Risks Link to heading

• Security: This approach may not move quickly enough. Government systems are decades old, subject matter experts are scarce or retiring, and the complexity of modernization presents numerous obstacles. Unknown costs and technical challenges will emerge during implementation, and the timeline may not outpace advancing AI capabilities. Red-teaming may discover vulnerabilities faster than agencies can patch them, creating a backlog of known but unaddressed flaws.
• Political: Policymakers historically undervalue infrastructure modernization because improvements are largely invisible to end users. Constituents rarely demand backend system upgrades, making it difficult to maintain political will and sustained funding commitments across multiple budget cycles. Agencies may resist centralized oversight despite NSC authority, creating friction and potential delays. Red-teaming activities may embarrass agencies when vulnerabilities are discovered, creating political resistance.

Option 2: Detect. Option 1 + AI-Assisted Detection of Unknown Vulnerabilities and Enhanced Intelligence Capabilities) Link to heading

This option includes all activities from Option 1, plus establishes dedicated AI threat detection and research teams within CSSO that are focused on AI-specific capabilities.

The AI Monitoring and Tripwires Team (6) detects anomalous automated behavior patterns at network and infrastructure level. An agent operating without human oversight is likely to exhibit inhuman behavioral signatures (speed, regularity, volume) that are detectable with proper monitoring systems in place. The team will also deploy honeypots and fake vulnerabilities specifically designed to attract autonomous agents, exploiting systematic behavior patterns to waste computational resources and generate detection signals.

The Compute Monitoring Team (7) monitors and potentially regulates large-scale compute usage. Truly autonomous agents capable of sophisticated zero-day discovery require significant compute resources, making compute monitoring a more viable intervention point than post-incident attribution.

The AI Containment Research Team (8): Invests in understanding how to detect, interrupt, and isolate autonomous AI systems that are operating outside of intended parameters. This is an active research area but underfunded relative to the risk it addresses.

The Kill Switch Infrastructure Coordination Team (9) negotiates and maintains agreements with cloud providers and hardware manufacturers for emergency shutdown capabilities targeting infrastructure on which rogue agents are operating, including liability protections and conditions for activation.

These teams operate within CSSO’s structure but maintain independence from individual departments to avoid conflicts of interest. Their findings feed directly to the incident response team (Team 5) when threats are detected.

Progress should be reviewed quarterly given the research-intensive nature of this work, with immediate escalation protocols when monitoring systems detect anomalous activity.

Considerations Link to heading

• Monetary Costs: This work requires funding for compute resources, specialized personnel recruitment and retention (competitive with private sector salaries), monitoring infrastructure, and partnerships with cloud providers. Building a research team takes time, and attracting talent to government work in this field is challenging given private sector competition. Year 1 costs are estimated at $15-20B, covering all Option 1 expenses ($11-15B for CSSO staffing and infrastructure, initial modernization projects, and red-teaming and incident response capabilities) plus AI detection and research infrastructure ($4-5B).
• Legislative Requirements: Minimal new legislation is required for research and detection activities. A legal framework is needed for kill switch agreements with private companies (liability protections, conditions for activation). There is potential need for legislation around compute monitoring if it involves private sector infrastructure or raises Fourth Amendment concerns.
• Public Opinion: The public may resist significant IT security spending when other priorities (medical research, social programs) face cuts. Framing this as “preventing cyberattacks on critical infrastructure” may help, but abstract research is harder to justify than visible improvements. Kill switch capabilities could raise privacy and overreach concerns if not carefully communicated.

Risks Link to heading

• Security: Research timeline may not produce actionable results before the threat materializes. Detection systems could produce false positives, creating alert fatigue, or false negatives, missing real threats. Kill switch infrastructure could itself become a target or vulnerability if adversaries discover and exploit it. Adversaries (state or non-state) could develop countermeasures to monitoring once they understand detection methods.
• Political: Private sector (cloud providers, hardware manufacturers) may resist kill switch agreements due to liability concerns, customer trust issues, or business model conflicts. There could be international implications if the US unilaterally implements compute monitoring that affects global infrastructure. Agencies may object to external monitoring as threatening or creating operational constraints. Research outcomes are uncertain, making sustained funding commitments politically difficult.
• Economic: Talent competition with private sector makes recruitment expensive and retention difficult, potentially requiring salary structures that exceed standard government pay scales. Kill switch capabilities could harm US tech competitiveness if perceived as government backdoors. Compute monitoring could create compliance costs for legitimate users, including academic researchers and private companies.
• Societal: Privacy advocates may oppose monitoring infrastructure as surveillance overreach, particularly compute monitoring. Academic and research communities could push back against compute restrictions that impede legitimate research. Kill switch capabilities could negatively impact public trust if they are perceived as government control over private infrastructure. Transparency about monitoring capabilities creates tension between public accountability and operational security.

Option 3: Prevent. Option 2 + Critical Systems Redesign, AIContainment Research, and OS and AI Hardware Vendor Regulatory Requirements Link to heading

This option includes all activities from Options 1 and 2, plus two additional major components: systemic redesign of critical government infrastructure and establishment of regulatory requirements for operating system and AI hardware vendors.

System Redesign for Resilience: Critical government systems are redesigned using isolation architectures that compartmentalize functions so breaches cannot cascade across systems. Designs prioritize rapid recovery capabilities that assume breaches will occur and enable fast restoration of services, and minimal blast radius principles that limit the scope of damage from any single compromise. Systems are prioritized based on criticality analysis determining which infrastructure is essential if the entire government framework were compromised.

Vendor Regulatory Requirements: Operating system vendors must comply with mandatory patch policies, transparency requirements about known zero-day vulnerabilities, guaranteed hardware and software support commitments for specified periods, and baseline security standards as conditions of eligibility for government contracts. AI hardware vendors must maintain supply chain transparency including disclosure of purchasers, hardware destinations, and intended use cases to enable tracking and potential export controls.

International Coordination: Given that OS vendors and AI hardware supply chains are multinational, this option requires international agreements on security standards, transparency requirements, and information sharing protocols with allied nations.

Enforcement of vendor requirements would fall to the Department of Commerce in coordination with CSSO, with contract eligibility determinations made through existing federal acquisition processes. Non-compliance results in loss of current contracts and ineligibility for future government work.

Progress on system redesign should be reviewed quarterly given the multi-year timeline, with annual reassessment of criticality priorities as threats evolve. Full implementation is estimated to require 5 to 10 years.

Considerations Link to heading

• Monetary Costs: Costs include all of Option 1 and 2 expenses plus systemic redesign of critical infrastructure (potentially tens of billions over multiple years), development of new architectural standards, vendor compliance monitoring infrastructure, and international coordination efforts. Phased implementation based on criticality helps spread costs but extends the timeline. Year 1 costs are very roughly estimated at $20-30B, covering all Option 2 expenses ($15-20B) plus initial system redesign planning and pilot projects ($3-5B), vendor compliance framework development ($1-2B), and international coordination efforts ($1-3B). This estimate is highly uncertain given the complexity and scope of systemic redesign work, and costs would likely escalate significantly in subsequent years as full-scale implementation begins.
• Legislative Requirements: Comprehensive legislation is required to establish vendor transparency, security requirements, and enforcement mechanisms, and to enable information sharing, and international agreements. It may also require updates to Federal Acquisition Regulation (FAR) and export control frameworks. International agreements could require treaty negotiations and potential Senate ratifications depending on the structure.
• Public Opinion: Framing the project as “making government systems unhackable” and “holding tech companies accountable” could generate strong public support. However, costs and timeline (multi-year effort) may face scrutiny, particularly if other priorities compete for funding. Vendor transparency requirements may be popular given public skepticism of tech companies.

Risks Link to heading

• Security: Timeline for full implementation spans 5 to 10 years, during which AI capabilities continue advancing. Phased approach means lower-priority systems remain vulnerable for longer. System redesign introduces new complexities that could create unforeseen vulnerabilities. International coordination requirements slow implementation and create dependencies on foreign cooperation.
• Political: Vendor requirements may face intense industry lobbying and legal challenges. International agreements require sustained diplomatic effort and may fail if allies have different priorities or domestic constraints. Multi-year, multi-billion dollar commitment faces risk of losing political support across administration changes. Agencies may resist wholesale system redesign as disruptive to operations.
• Economic: Vendor requirements could reduce competition in government contracting if smaller companies cannot meet compliance costs, particularly long-term support commitments. Hardware tracking requirements may be perceived as overreach by industry, potentially chilling innovation or driving companies away from government work. International disagreements on standards could fragment markets or create compliance conflicts for multinational vendors.
• Societal: Hardware tracking and supply chain transparency requirements raise privacy and civil liberties concerns if perceived as government surveillance of private sector activities. Export controls on AI hardware could strain relationships with allied nations or academic research communities. The public may view costs as excessive compared to more visible priorities.

Recommendation Link to heading

Option 2 is recommended because it directly addresses both current system vulnerabilities and the emerging AI threat within an achievable timeline while remaining politically feasible. This approach provides critical early detection and monitoring capabilities that Option 1 lacks, while avoiding the 5-10 year (or more) implementation timeline and political complexity of Option 3’s regulatory framework. Given the rapid advancement of AI capabilities, we need detection systems operational quickly to buy time for modernization efforts to succeed.

Option 1, while necessary, is alone insufficient to address the specific threat identified in the Swift Centre forecast. Modernizing legacy systems and implementing red-teaming addresses known vulnerabilities but provides no early warning system for autonomous AI agents actively hunting zero-days. Without the monitoring, compute tracking, and research in Option 2, we would be operating blind to AI-driven threats until exploitation occurs. The incident response team can only react to breaches that are detected, and traditional security monitoring may not recognize the inhuman behavioral signatures of autonomous AI agents.

Option 2 builds the specialized detection infrastructure needed to identify AI threats as they emerge. AI monitoring and tripwires can detect anomalous patterns that indicate unauthorized AI agentic operation. Compute monitoring provides an intervention point before sophisticated attacks materialize, since zero-day discovery at scale requires significant computational resources. The containment research ensures we are developing the technical capability to interrupt and isolate rogue AI systems rather than scrambling to figure out how when an incident occurs. Kill switch infrastructure provides a last-resort failsafe that currently does not exist.

The research components of Option 2 carry uncertainty, but the alternative is worse. Waiting for the threat to fully materialize before investing in AI-specific detection and containment capabilities leaves us permanently reactive. The modernization work in Option 1 will take years to complete regardless, and during that window we need the early warning systems that Option 2 provides. These capabilities also have value beyond the specific zero-day scenario, as they improve our overall posture against AI-driven cyber threats of all types.

Option 3 represents the ideal comprehensive solution but is not politically achievable in the necessary timeframe. The 5-10 year implementation timeline means critical systems remain vulnerable throughout the period when AI capabilities are advancing most rapidly, with a 20 - 65% chance the threat materializes by end of 2027. Vendor regulatory requirements will face intense industry resistance and legal challenges that could delay or derail implementation. International coordination introduces dependencies on foreign cooperation that we cannot control. The risk of losing political support across administration changes over such an extended timeline is substantial. Option 2 delivers meaningful security improvements within a timeframe that matches the threat evolution, making it the pragmatic choice that balances ambition with achievability.

Next Steps Link to heading

If approved, we will immediately begin the following five critical actions:

1. Recruit CSSO Leadership: Begin search for the Director of CSSO outside of standard government channels. This individual must be recruited from private industry with extensive technical program management experience and a strong technical background in cybersecurity and systems architecture. To compete with private sector compensation, the position should offer a minimum salary of $400,000 to $500,000, potentially structured through existing authorities for critical cybersecurity positions or requiring new legislative authorization for executive-level technical roles.
2. Draft Enabling Legislation: Work with the White House Office of Legislative Affairs and relevant Congressional committees to draft legislation establishing CSSO, mandating agency cooperation, and creating enforcement mechanisms. Legislation must include funding authorization, milestone-based compliance requirements, and accountability provisions for non-compliant agencies.
3. Secure Initial Funding: Request emergency supplemental appropriation of $15-20B for Year 1 operations, separate from the existing $100B annual IT budget. This covers CSSO staffing and infrastructure ($2-3B), initial modernization projects for highest-priority systems ($8-10B), red-teaming and incident response capabilities ($1-2B), and AI detection/research infrastructure ($4-5B). While substantial, this represents a fraction of the $80B currently spent maintaining legacy systems annually, and addresses the root cause rather than perpetuating maintenance costs.
4. Mandate Agency Coordination: Issue immediate directives to all departments and agencies requiring cooperation with CSSO and GAO on modernization assessments, vulnerability disclosure, and compliance reporting. Establish interagency working group with representatives from each critical system owner.
5. Commission Updated GAO Assessment: Request GAO provide current status of all critical legacy systems (most recent public assessment is from July 2025) to establish baseline for CSSO operations and identify highest-priority modernization targets.