How can we give defenders of critical infrastructure an advantage over attackers? @Miles_Brundage proposes Operation Patchlight: a national effort to use each jump in frontier AI capabilities to find and patch critical open-source code vulnerabilities before these AI capabilities diffuse to attackers. Attacks on critical infrastructure are already a big problem. 61% of US hospitals report ransomware affecting clinical care, with 17% saying it caused serious patient harm. It takes 491 days on average to apply critical security updates to hospital equipment, and cyber incidents in healthcare cost over $15 billion in 2023 alone. But it could get much worse. Future agentic AI systems may constitute advanced persistent threats, scaling the effective workforce of cyberattackers by orders of magnitude. The proposal addresses a market failure. Attackers can make millions from a single ransomware campaign, while open-source code maintainers (whose libraries underpin ~70% of commercially used software) remain chronically under-resourced. The plan: for the US government and AI labs to jointly fund AI-powered vulnerability discovery, plus more funds to give every hospital and power plant administrator an always-on AI security assistant that helps implement patches and security improvements. As AI systems become more capable, both the need for this project will become more acute and its feasibility more apparent, as future AI systems become capable of both cyberattacks and protecting infrastructure against them. Even large investments into AI-powered cyberdefense could prove to be extremely cost-effective for the US government. Read the online essay: ifp.org/operation-patchlight…