Artificial intelligence (AI) could eventually perform 75% to 80% of the routine work handled by defensive cyber operators, allowing personnel to focus on more complex threats and mission priorities, according to Brian Hermann, program acquisition executive for cyber at the Defense Information Systems Agency (DISA).
Speaking on Tuesday at TECHNET Cyber, Hermann said the Defense Department (DOD) ultimately needs AI-powered tools capable of making some real-time defensive cyber decisions as adversaries increasingly employ AI in their own operations.
However, he cautioned that significant hurdles involving trust, accreditation, security, and data integration must be addressed before autonomous AI-driven cyber defense can operate at scale.
“I’ve always been a proponent of taking 75 to 80% of what a defensive cyber operator does on a daily basis and automating it,” Hermann said, adding that the goal is not to reduce staffing levels but to shift personnel toward more advanced cyber missions.
Hermann argued that traditional automation alone will not be sufficient as adversaries increasingly leverage AI.
“We have adversaries that are using AI. We can’t just have automation in the way that has to have the man in the loop,” he said. “We also have to have actually solid AI-based tools be making on-the-fly defensive cyber operations decisions for us.”
But such a transition will require AI systems capable of learning from DOD’s cybersecurity and operational data and adapting to evolving threats rather than relying solely on static, rule-based processes, Hermann said.
In the near term, he said AI-enabled cyber defense should focus on automating routine detection and response activities while allowing human operators to concentrate on what he described as the “higher-end fight.”
“That’s the first place that I’m seeing [AI], and that’s the place that’s relevant to the desire to take a load off of the defensive cyber operators’ shoulders and allow them to use their brain on the higher-end fight,” Hermann told reporters after the panel discussion.
While AI could automate a significant share of routine cyber work, Hermann said he does not expect the technology to reduce workforce requirements.
“We’re going to need at least all the people that we have right now focusing on the higher-end fight and letting some of the automated tools work on the things that we feel much more confident in,” he said.
Hermann described a phased path toward more autonomous cyber operations. Initially, AI-generated response rules would be reviewed and approved by humans. Over time, operators could become comfortable allowing certain AI-generated actions to execute automatically.
“The next step is starting to feel comfortable with the proposal of that rule being effective right out of the gate,” he said. “Will it be perfect? Probably not, but I think that’s something we have to learn. We have to figure out how to get there.”
DOD still faces trust and accreditation hurdles
Despite advances in AI-enabled cyber capabilities, Hermann said DOD is not yet ready to allow AI systems to make defensive decisions independently at scale.
“We have to understand how we can feel confident about that,” he said. “We have to know how to feel confident that those could be accredited decisions that they’re going to make, and that they’re not hijacked by our adversaries as well.”
Among the biggest concerns, Hermann said, are risks involving AI poisoning and manipulation.
“The risk, of course, is if the AI gets poisoned somehow, and then you have a problem with how you respond,” Hermann said.
Hermann also warned against creating fragmented AI ecosystems across the department. Rather than building disconnected tools and databases, he said effective AI-enabled cyber defense will depend on enterprise-wide capabilities built on integrated data.
DISA builds unified data environment for AI
Hermann said DISA’s push toward AI-enabled cyber operations depends on a strong data foundation. To support that goal, the agency is consolidating cybersecurity and operational data from across DISA into a unified environment.
According to Hermann, the effort began after DISA Director Lt. Gen. Paul Stanton asked where leaders could view operational and security data in a single location to support decision-making.
“What we found is that it was siloed in different places around the agency,” Hermann said. “Now, we’re bringing that all together, and we’re consolidating and making that data available where appropriate to other elements of the department as well.”
According to Hermann, the consolidated data environment will provide the foundation necessary for future AI-enabled cyber operations.
“The ability to have all that data together, and then obviously you go to the AI piece, where you draw inferences based on having all that data together,” he said.
Hermann said progress on the initiative has been substantial and that he expects the effort to be completed by the end of the year, giving agency leaders access to a consolidated or federated data environment capable of supporting future AI-enabled cyber operations.