Daylila

Cybersecurity · Thursday, 9 July 2026

01 · Briefing · what happened

The government built a machine to find security holes — and skipped the part where someone has to fix them

Cybersecurity 4 min 52 sources

A new US clearinghouse to scan critical infrastructure for flaws risks becoming a backlog generator, one expert warns — because AI finds bugs far faster than anyone can patch them.

Key takeaways

  • The US set up an "AI clearinghouse" to scan critical infrastructure for flaws, but one expert warns that finding bugs is easy while fixing them is the real bottleneck — so it could just generate a bigger backlog.
  • AI now speeds up both sides: a lone attacker used it to break into a large cloud environment in 72 hours using ordinary techniques, no secret exploit needed.
  • This week's flaws — 100,000-plus exposed Ubiquiti systems and a 16-year-old Linux bug that lets one rented server seize the whole machine — are only "fixed" when thousands of separate people choose to apply the update.

The US government has stood up a new office to hunt for security flaws in the systems that run power, water, and transport. The catch, one expert argues, is that finding the holes was never the hard part.

The clearinghouse that scans but may not fix

Last month President Trump signed an AI-focused executive order. It gave three agencies thirty days to set up an “AI cybersecurity clearinghouse”: the Treasury, the National Security Agency, and CISA, the US cyber-defence agency. The deadline passed last week [1]. Its job — coordinate the scanning and validation of software flaws in critical infrastructure, then prioritise how they get patched [1].

Ilona Cohen, an executive at the bug-bounty firm HackerOne, laid out the flaw in the plan in a commentary [1]. AI tools now surface vulnerabilities faster than anyone can act on them, she wrote [1]. She drew the lesson from a real project — OpenAI’s “Patch the Planet,” which uses AI to find and fix bugs in open-source code [1]. What lags behind is everything after discovery [1]. Deciding which findings are real. Judging how serious each is in context. Writing and testing a fix. Getting it deployed by the people who maintain the code.

Her warning is blunt. A body that finds more vulnerabilities but can’t move them to a fix “is not a security win. At national scale, it is a backlog generator” [1]. Much of the code underpinning critical infrastructure is maintained by small teams or lone volunteers with no obligation to respond and little capacity to act fast [1]. Cohen’s fix: measure the clearinghouse by what gets fixed — validation rates, time-to-patch, adoption of fixes — not by how many problems it discovers [1].

Why it matters: the gap between spotting a flaw and closing it is where risk actually lives. Building a faster spotlight doesn’t help if no one is holding the wrench.

The same speed, on the attacker’s side

That discovery-to-fix gap gets more dangerous when attackers get faster too. Security firm Sygnia described how one financially-motivated attacker used AI to break into a large Amazon Web Services environment in roughly 72 hours [9][15]. That work would normally take weeks. The attacker didn’t invent novel malware or a secret flaw. They used well-worn techniques and leaned on AI for speed and scale [15].

The way in was ordinary. They obtained an access key to an AWS account through a weakness in an internet-facing app. Then they used AI to hunt for stored credentials, map the environment, and adapt on the fly [15]. The report calls it “familiar techniques at unfamiliar speed” [15]. The reader’s takeaway: the defence that matters here isn’t exotic. It’s not leaving credentials lying around in code, and turning on a second login check so one stolen key isn’t the whole front door.

A pile of patches, waiting for someone to apply them

The week’s flaw disclosures show exactly the backlog Cohen describes. Networking-gear maker Ubiquiti released fixes for seven critical vulnerabilities in its UniFi software, including a top-severity one that lets a network attacker run commands on the device [17]. Six of them need no user interaction to exploit [17]. Scanning firm Censys tracks more than 100,000 UniFi systems exposed online, nearly 50,000 of them in the US — and there’s no telling how many have been updated [17].

Separately, a flaw hidden in the Linux kernel for 16 years surfaced this week [3]. It’s nicknamed “Januscape” (its ID number is CVE-2026-53359; a CVE is just the industry’s label for a specific catalogued flaw). It lets a rented virtual machine — the isolated slice of a shared server that cloud customers pay for — break out and seize the physical host [3]. The researcher who found it, Hyunwoo Kim, warned an attacker renting a single instance could crash or take over every other customer sharing that machine [3]. Google paid a $250,000 bounty for it [3].

Each of these is now a “found” item. Whether it becomes a “fixed” item depends on thousands of separate people choosing to apply the update — the exact handoff the clearinghouse debate is about.

Also this week

Accenture confirms a breach. The consulting giant confirmed a data breach after a hacker claimed to have stolen its source code [2]. Accenture says it contained the incident and saw no impact on operations or client services [2]. The full scope of what was taken is not yet public.

Spyware sold like a subscription. Researchers at Zimperium documented “RedWing,” Android spyware rented out to criminals through a Telegram bot, complete with tutorial videos and a referral scheme [12]. It walks victims through permission prompts to hijack their phones and steal banking logins, and can generate fake app-store pages mimicking Google Play [12]. The lesson for phone owners: install apps only from the real store, and be wary of any app demanding sweeping permissions right after install.

China flags a foreign coding tool. China’s cyber authorities issued a “backdoor” security alert over Anthropic’s Claude Code, a developer tool [8]. The reporting detailed no technical proof of a backdoor. The notice reads less as a specific finding and more as a trust signal — a state telling its own users which foreign software to distrust [8].

02 · Lesson · why it matters

Finding the problem is the cheap half. Fixing it is the half nobody owns.

Spotting a fault is quick, cheap, and satisfying — closing it is slow, expensive, and lands on whoever happens to be responsible for that patch of code.

Two jobs wearing one name

We talk about “fixing security” as if it were one act. It isn’t. It’s two jobs that only look like one.

The first job is finding. Scan the code, spot the flaw, ring the bell. This job is getting cheaper by the month — a machine can now read a codebase and surface faults faster than any human ever could.

The second job is fixing. Decide whether the flaw is real. Judge how bad it is in this exact system. Write a patch, test it, and get it onto every machine that runs the broken code. This job has barely sped up at all. It’s still humans, still slow, still hard.

When someone builds a tool that does the first job brilliantly and hands the results to whoever’s stuck with the second, they haven’t solved the problem. They’ve moved it — from the fast half to the slow half, and let it pile up.

Why the pile grows

Here’s the trap. The faster you get at finding, the bigger the queue of things to fix. If discovery doubles and repair stays flat, you don’t get safer. You get a longer waiting list.

That’s why an expert this week called a new government office to hunt for flaws a “backlog generator.” Not because finding flaws is bad. Because a system that finds ten times more problems, without adding any hands to fix them, has manufactured a shortage of those hands. The bottleneck didn’t disappear. It got heavier.

You can watch this anywhere the two halves come apart. A doctor orders a scan that reveals a dozen small things — now who reads them, judges them, acts on them? An audit surfaces forty findings — who’s assigned to close each one? A smoke alarm is easy to fit. A fire escape is expensive to build. It’s always cheaper to detect than to repair, so detection races ahead and repair falls behind. The gap between them is where the danger actually sits.

The shape underneath: the easy job at the center, the hard job at the edge

Now look at who does each half.

The finding is done at the center — well-funded firms, government agencies, clever tools with budgets behind them. The fixing is often done at the edge, by people the system quietly depends on and rarely pays. Much of the code that runs banks, hospitals, and power grids is maintained by small teams or a single volunteer, with no contract, no obligation, and no time.

So when the bell rings, it rings loudly at the center and lands as an unpaid chore at the edge. The person who must write the patch never agreed to be on call. They were just the one who wrote a useful piece of code years ago and kept the lights on for free.

This arrangement isn’t an accident, and it isn’t a villain’s plot. It’s what happens when the glamorous half of a job and the thankless half drift into different hands. The center gets the credit for discovery. The edge gets the queue.

Where the reader sits

It’s tempting to file this under “someone else’s problem” — a fight between agencies and coders. It isn’t.

The systems this describes are the ones you’re standing on. The banking app, the hospital record, the router in the corner of the room — all of it rides on code maintained somewhere down the chain. Often by someone with no reason to hurry. When a flaw is found and not fixed, the exposure doesn’t stay with the finder. It travels down to whoever’s using the system. That’s you.

And the same shape sits inside your own life. Noticing you should back up your files, change a reused password, update the phone that’s been nagging you for weeks — that’s the finding. Cheap. Almost free. Actually doing it is the fixing, and the fixing is where it stalls. The knowing and the doing come apart in exactly the same way, just smaller.

What seeing this buys you

The honest thing to hold isn’t “I now know how to fix everything.” It’s the opposite. A quieter respect for how much sits unfixed even after it’s found.

Every organisation, every country, every person is carrying a backlog of known problems that were spotted and never closed. Spotting was easy. Closing was hard, and the hard half fell on someone with no time. The bell has rung on far more than anyone has hands to answer.

So the next time a headline says a flaw was “discovered,” it’s worth remembering that the announcement is the cheap half. The same goes when you catch yourself noticing something in your own life you should fix. The bell is loud. The wrench is quiet, and further away than it looks. Most of what protects us depends on a stranger, somewhere down the line, choosing to pick it up.

03 · Lab · your turn

The Backlog Machine

Rehearse the gap between finding flaws and fixing them — a faster scanner without more hands just grows the queue until a critical one gets exploited.

04 · Hope · carry this

The quiet good news buried in this is how much still holds together on the shoulders of people who were never paid to catch us. Most of what protects us is a stranger, somewhere down the line, choosing to pick up the wrench anyway.

Across the beats