Cybersecurity · Thursday, 9 July 2026
01 · Briefing · what happened
The government built a machine to find security holes — and skipped the part where someone has to fix them
A new US clearinghouse to scan critical infrastructure for flaws risks becoming a backlog generator, one expert warns — because AI finds bugs far faster than anyone can patch them.
Key takeaways
- The US set up an "AI clearinghouse" to scan critical infrastructure for flaws, but one expert warns that finding bugs is easy while fixing them is the real bottleneck — so it could just generate a bigger backlog.
- AI now speeds up both sides: a lone attacker used it to break into a large cloud environment in 72 hours using ordinary techniques, no secret exploit needed.
- This week's flaws — 100,000-plus exposed Ubiquiti systems and a 16-year-old Linux bug that lets one rented server seize the whole machine — are only "fixed" when thousands of separate people choose to apply the update.
The US government has stood up a new office to hunt for security flaws in the systems that run power, water, and transport. The catch, one expert argues, is that finding the holes was never the hard part.
The clearinghouse that scans but may not fix
Last month President Trump signed an AI-focused executive order. It gave three agencies thirty days to set up an “AI cybersecurity clearinghouse”: the Treasury, the National Security Agency, and CISA, the US cyber-defence agency. The deadline passed last week
Ilona Cohen, an executive at the bug-bounty firm HackerOne, laid out the flaw in the plan in a commentary
Her warning is blunt. A body that finds more vulnerabilities but can’t move them to a fix “is not a security win. At national scale, it is a backlog generator”
Why it matters: the gap between spotting a flaw and closing it is where risk actually lives. Building a faster spotlight doesn’t help if no one is holding the wrench.
The same speed, on the attacker’s side
That discovery-to-fix gap gets more dangerous when attackers get faster too. Security firm Sygnia described how one financially-motivated attacker used AI to break into a large Amazon Web Services environment in roughly 72 hours
The way in was ordinary. They obtained an access key to an AWS account through a weakness in an internet-facing app. Then they used AI to hunt for stored credentials, map the environment, and adapt on the fly
A pile of patches, waiting for someone to apply them
The week’s flaw disclosures show exactly the backlog Cohen describes. Networking-gear maker Ubiquiti released fixes for seven critical vulnerabilities in its UniFi software, including a top-severity one that lets a network attacker run commands on the device
Separately, a flaw hidden in the Linux kernel for 16 years surfaced this week
Each of these is now a “found” item. Whether it becomes a “fixed” item depends on thousands of separate people choosing to apply the update — the exact handoff the clearinghouse debate is about.
Also this week
Accenture confirms a breach. The consulting giant confirmed a data breach after a hacker claimed to have stolen its source code
Spyware sold like a subscription. Researchers at Zimperium documented “RedWing,” Android spyware rented out to criminals through a Telegram bot, complete with tutorial videos and a referral scheme
China flags a foreign coding tool. China’s cyber authorities issued a “backdoor” security alert over Anthropic’s Claude Code, a developer tool
02 · Lesson · why it matters
Finding the problem is the cheap half. Fixing it is the half nobody owns.
Spotting a fault is quick, cheap, and satisfying — closing it is slow, expensive, and lands on whoever happens to be responsible for that patch of code.
Two jobs wearing one name
We talk about “fixing security” as if it were one act. It isn’t. It’s two jobs that only look like one.
The first job is finding. Scan the code, spot the flaw, ring the bell. This job is getting cheaper by the month — a machine can now read a codebase and surface faults faster than any human ever could.
The second job is fixing. Decide whether the flaw is real. Judge how bad it is in this exact system. Write a patch, test it, and get it onto every machine that runs the broken code. This job has barely sped up at all. It’s still humans, still slow, still hard.
When someone builds a tool that does the first job brilliantly and hands the results to whoever’s stuck with the second, they haven’t solved the problem. They’ve moved it — from the fast half to the slow half, and let it pile up.
Why the pile grows
Here’s the trap. The faster you get at finding, the bigger the queue of things to fix. If discovery doubles and repair stays flat, you don’t get safer. You get a longer waiting list.
That’s why an expert this week called a new government office to hunt for flaws a “backlog generator.” Not because finding flaws is bad. Because a system that finds ten times more problems, without adding any hands to fix them, has manufactured a shortage of those hands. The bottleneck didn’t disappear. It got heavier.
You can watch this anywhere the two halves come apart. A doctor orders a scan that reveals a dozen small things — now who reads them, judges them, acts on them? An audit surfaces forty findings — who’s assigned to close each one? A smoke alarm is easy to fit. A fire escape is expensive to build. It’s always cheaper to detect than to repair, so detection races ahead and repair falls behind. The gap between them is where the danger actually sits.
The shape underneath: the easy job at the center, the hard job at the edge
Now look at who does each half.
The finding is done at the center — well-funded firms, government agencies, clever tools with budgets behind them. The fixing is often done at the edge, by people the system quietly depends on and rarely pays. Much of the code that runs banks, hospitals, and power grids is maintained by small teams or a single volunteer, with no contract, no obligation, and no time.
So when the bell rings, it rings loudly at the center and lands as an unpaid chore at the edge. The person who must write the patch never agreed to be on call. They were just the one who wrote a useful piece of code years ago and kept the lights on for free.
This arrangement isn’t an accident, and it isn’t a villain’s plot. It’s what happens when the glamorous half of a job and the thankless half drift into different hands. The center gets the credit for discovery. The edge gets the queue.
Where the reader sits
It’s tempting to file this under “someone else’s problem” — a fight between agencies and coders. It isn’t.
The systems this describes are the ones you’re standing on. The banking app, the hospital record, the router in the corner of the room — all of it rides on code maintained somewhere down the chain. Often by someone with no reason to hurry. When a flaw is found and not fixed, the exposure doesn’t stay with the finder. It travels down to whoever’s using the system. That’s you.
And the same shape sits inside your own life. Noticing you should back up your files, change a reused password, update the phone that’s been nagging you for weeks — that’s the finding. Cheap. Almost free. Actually doing it is the fixing, and the fixing is where it stalls. The knowing and the doing come apart in exactly the same way, just smaller.
What seeing this buys you
The honest thing to hold isn’t “I now know how to fix everything.” It’s the opposite. A quieter respect for how much sits unfixed even after it’s found.
Every organisation, every country, every person is carrying a backlog of known problems that were spotted and never closed. Spotting was easy. Closing was hard, and the hard half fell on someone with no time. The bell has rung on far more than anyone has hands to answer.
So the next time a headline says a flaw was “discovered,” it’s worth remembering that the announcement is the cheap half. The same goes when you catch yourself noticing something in your own life you should fix. The bell is loud. The wrench is quiet, and further away than it looks. Most of what protects us depends on a stranger, somewhere down the line, choosing to pick it up.
03 · Lab · your turn
The Backlog Machine
Rehearse the gap between finding flaws and fixing them — a faster scanner without more hands just grows the queue until a critical one gets exploited.
04 · Hope · carry this
The quiet good news buried in this is how much still holds together on the shoulders of people who were never paid to catch us. Most of what protects us is a stranger, somewhere down the line, choosing to pick up the wrench anyway.
More from Cybersecurity