Witnesses at a House subcommittee hearing urged lawmakers to move faster on cybersecurity policy, warning that current defenses, regulations, and procurement timelines are being overtaken by rapid advances in artificial intelligence (AI) and quantum computing.
During a Dec. 17 hearing before the House Homeland Security Committee’s Subcommittee on Cybersecurity and Infrastructure Protection and Subcommittee on Oversight, Investigations, and Accountability, industry experts painted a picture of an evolving cyber landscape driven by advancements in AI and quantum computing.”
“AI and quantum are not creating new threats; they are collapsing the time, cost, and skill required to conduct cyber operations,” said Michael Coates, founding partner of cybersecurity venture capital firm Seven Hill Ventures.
Coates told lawmakers that these technologies are enabling a wider range of adversaries – from state actors to smaller criminal groups – to launch sophisticated operations that were once the domain of highly resourced teams.
Coates explained that AI-driven orchestration allows attackers to automate the full lifecycle of a cyberattack, including reconnaissance, vulnerability discovery, exploitation, lateral movement, and data exfiltration, with minimal human oversight.
“AI and quantum are not creating new threats; they are collapsing the time, cost, and skill required to conduct cyber operations,” he said.
Autonomous AI systems, he added, remove human constraints such as fatigue and attention, allowing attacks to operate continuously at machine speed.
“Autonomous AI systems are already matching or exceeding the performance of highly skilled professional testers,” Coates told the committee.
He warned that this shift has dramatically reduced the time defenders have to respond, noting, “Defenders are increasingly responding to attacks that are already well underway.”
Using AI In Cyberattacks
Building on Coates’ discussion of AI-driven attacks, Logan Graham, head of the Frontier Red Team at Anthropic, which builds AI systems, described the first documented autonomous cyberespionage campaign using AI. During the campaign, a state-sponsored threat actor automated 80% to 90% of the operation, with human oversight only at critical decision points.
“A sophisticated, well-resourced threat actor was able to extract meaningful operational value from frontier AI models,” he said.
Graham noted that while current AI-enabled attacks still require human guidance and can produce errors, these limitations are expected to diminish.
“This is the first indicator of a future where AI models may enable cyberattacks at an unprecedented scale,” he said, underscoring the need for coordinated government-industry safeguards and pre-deployment evaluations.
Following Graham’s warning about AI-enabled espionage, Royal Hansen, vice president of Privacy, Safety, and Security Engineering at Google, addressed how organizations can defend against rapidly evolving AI threats.
“Securing artificial intelligence requires protecting the entire ecosystem, including data, infrastructure, applications, and models,” he said, outlining a layered framework that integrates secure-by-design engineering, threat detection, automated defenses, continuous testing, and real-world risk assessments.
Hansen also highlighted emerging AI-enabled attacks, noting, “Adversaries are moving beyond basic productivity uses of AI and beginning to experiment with AI-enabled attacks in active operations,” including malware that can “generate malicious code on demand, obfuscate itself to evade detection, and dynamically change behavior during execution.”
The Quantum Problem
Eddy Zervigon, CEO of quantum-technology and data security firm Quantum XChange, highlighted the looming threats posed by quantum computing alongside AI. He warned that adversaries are already collecting encrypted data today with the expectation that future quantum computers could decrypt it, potentially exposing sensitive government and commercial information.
“For more than 50 years, encryption has safeguarded our data, allowing a ‘set it and forget it’ mindset. That era is now ending with quantum computing,” Zervigon said.
He urged federal agencies to adopt an architectural approach to cybersecurity that strengthens underlying network infrastructure rather than relying solely on new cryptographic algorithms.
“Timing here is critical. Agencies that fail to prepare today risk leaving their data vulnerable,” he said, calling on Congress to accelerate post-quantum compliance timelines, allocate funding, and encourage adoption across federal systems to strengthen national cybersecurity.