Pentagon's Top Cyber Official Wants Cyber in Every Operation — and Security Built Into AI From Day One

The Pentagon is saying out loud what the security industry learned the hard way: if you bolt security on after you have already deployed the tool, you have already lost. The new test is whether it can apply that lesson to AI before, not after, the mistakes.

WASHINGTON — The Defense Department is working to integrate cyber into all of its operations and wants to build security into its use of artificial intelligence from the outset, the Pentagon's top cyber policy official said on June 2, 2026, according to CyberScoop's reporting from the GDIT Emerge: Battlespace of the Future conference.

Katherine Sutton, assistant secretary for cyber policy and principal cyber adviser at the Defense Department, said recent conflicts have made clear how important cyber is — especially when paired with physical force — and that the department has to stop treating it as a separate discipline. CyberScoop reported that defense officials have described a cultural shift on cyber's importance since the war in Iran and the capture of Venezuelan leader Nicolás Maduro.

What Happened

Speaking at the GDIT Emerge: Battlespace of the Future conference, Sutton framed cyber integration as a structural change, not a slogan. 'We have to fully pull cyber out of its silo, which means not just integrating the effects, but starting the integration from day one with operational planning … and built in from the beginning, and not something that we strap on as we're going to execute,' she said, per CyberScoop. She added that 'information is becoming more and more important on the battlefield, so having the ability to integrate space, cyber and other non-kinetic effects to be able to degrade that information advantage is something that's going to be critical and foundational to any future conflicts going forward.' CyberScoop reported that defense officials have pointed to a cultural shift on cyber's importance since the war in Iran and the capture of Venezuelan leader Nicolás Maduro.

The Army's principal cyber adviser, Brandon Pugh, made the same argument at the conference, saying cyber 'being considered in a silo is not where it's most effective' and that it works better 'when we see cyber blending in the kinetic operations while still being an option in its own right.' CyberScoop noted that Defense Secretary Pete Hegseth has given Pugh oversight of all defense critical infrastructure — physical and cyber — which Pugh said reflects how linked the department now considers the two. On AI, Sutton invoked the cybersecurity truism that the internet was not built with security in mind and said the department cannot make the same mistake again: 'As we adopt these new tools, we're also creating a new threat landscape for adversaries to attack us and to exploit these new capabilities, so we need to start thinking about how we're going to secure them.' She added, 'One of the challenges we have often had with tools is we adopt them, and security is an afterthought … I just don't think we have that luxury with AI going forward.'

'Security as an Afterthought' Is the Whole Lesson

Sutton's AI point is the one with the broadest resonance, because it restates the single most expensive lesson in the history of computing. The internet, operating systems, email, and the industrial control systems running critical infrastructure were all built for function first and secured later, at enormous cost — decades of retrofitted patches, bolt-on firewalls and breach cleanups. Her argument is that AI is arriving fast enough, and into high-stakes-enough settings, that the department cannot afford to repeat that sequence: security has to be a design input, not a remediation project. That is not a uniquely military insight — it is exactly the 'secure by design' principle CISA and the broader security community have been pushing — but hearing it from the Pentagon's cyber policy chief, applied to AI specifically and before wide deployment, is the noteworthy part. The hard question, unanswered in the remarks, is how to operationalize it under the pressure to field AI capabilities quickly.

Cyber Out of Its Silo — and Into the Kill Chain

The integration message is about organizational design as much as doctrine. Treating cyber as a separate capability that is 'strapped on' at execution time, in Sutton's framing, wastes it; weaving it into planning from day one — alongside space and other non-kinetic effects — treats information advantage as something to be contested continuously, not bolted on. Pugh's reframing of the same idea, and the fact that Defense Secretary Hegseth consolidated oversight of physical and cyber critical infrastructure under him, signal that the department increasingly sees the digital and physical domains as one problem. That convergence is a theme The CyberSignal has tracked from the defensive side too — for instance the concern over adtech and commercial location data exposing US troops, where a digital data-broker problem became a force-protection problem. The cyber-physical merge cuts both ways: it is an opportunity in offense and a vulnerability in defense.

One Note in a Louder Week for AI-and-Cyber Policy

Sutton's remarks did not happen in isolation; they landed in a week when AI-and-cyber policy moved on several fronts at once. The same days saw the White House issue an executive order setting up a voluntary framework to test 'covered frontier' AI models and share AI-found vulnerabilities with critical infrastructure, and Anthropic expand Project Glasswing and its Claude Mythos model to about 150 critical-infrastructure organizations. Read together, the through-line is consistent across government and industry: powerful AI is becoming central to both offense and defense, and the institutions involved are converging on the same answer — build security in early, and treat AI as a capability that has to be defended even as it is deployed. Sutton's contribution is the operator's version of that idea, aimed at how the military plans and fields these tools rather than at how they are governed.

Scope and Impact

These are stated priorities and cultural direction from senior defense officials, not a new policy, directive or budget — an important distinction for calibrating how much weight to give them. The audience and immediate relevance are the Defense Department's own components, the defense-industrial base, and the contractors and vendors that build and integrate the department's cyber and AI capabilities. For that ecosystem, the signal is directional but real: the department's cyber-policy leadership is publicly prioritizing cyber-physical integration and security-by-design for AI, which tends to shape requirements, acquisition language and program emphasis over time even before it is written into formal doctrine.

For the broader security community, the scope is mostly as a bellwether. When the Pentagon's cyber chief says the department cannot treat AI security as an afterthought, it both reflects and reinforces a norm that applies far beyond defense: any organization racing to adopt AI tools is, in Sutton's words, 'creating a new threat landscape' at the same time. The remarks do not change what a private-sector CISO must do, but they validate a posture — secure AI adoption from the outset — that the same CISO can cite when arguing for security resources in their own AI rollout. The practical caveat is that direction-setting speeches are easy; the test is whether requirements, funding and program execution follow.

Response and Attribution

For leaders in the defense-industrial base and government contractors, the actionable read is to expect cyber-integration and AI-security expectations to surface in requirements and evaluations, and to get ahead of them: design programs so that cyber effects and protections are part of operational planning rather than late add-ons, and build security, monitoring and abuse-resistance into AI capabilities from the design phase. Sutton's 'new threat landscape' framing is a useful prompt to threat-model AI systems for how an adversary would attack or subvert them — data poisoning, model manipulation, prompt-injection of AI agents, and exfiltration through the tool itself — before fielding, not after.

For CISOs and security leaders outside government, the response is to treat the remarks as cover and template rather than instruction. The 'don't bolt security on after the fact' lesson applies directly to enterprise AI adoption: inventory where AI is already being introduced across the organization, require security review as a gate in AI procurement and deployment, and extend existing controls — identity, logging, data-loss prevention, least privilege — to AI systems and the agents acting on their behalf. The broader takeaway, consistent across this week's government and industry moves, is that the organizations thinking hardest about AI are converging on the same discipline: adopt the capability, but defend it from day one. The speeches are the easy part; for defenders everywhere, the value is in turning that principle into a checklist their own AI projects actually have to pass.

The CyberSignal Analysis

Signal 01 — 'Secure by Design' Reaches the Battlefield

The most portable idea in Sutton's remarks is that the military is explicitly trying to avoid the original sin of computing — shipping first and securing later — with AI. That the Pentagon's cyber chief is saying it out loud, before AI is fully fielded, is a meaningful marker: it moves 'secure by design' from a vendor slogan and CISA talking point into stated defense priority. For defenders everywhere, it is useful validation that the time to secure an AI capability is during adoption, not after the first incident. The caveat is that intent is not implementation; the lesson only counts if it changes how systems are actually built and bought.

Signal 02 — The Cyber-Physical Line Keeps Disappearing

Both Sutton and Pugh describe cyber and kinetic operations as increasingly inseparable, and the consolidation of physical and cyber critical-infrastructure oversight under one Army official makes the organizational point. For defenders, the same convergence runs in reverse: a digital exposure can become a physical-safety problem, as the worry over commercial location data and troops showed. The practical implication is that threat models which treat 'cyber' and 'physical' as separate columns are increasingly out of step with how both attackers and the military now operate, and that defensive planning — like offensive planning — should assume the two domains feed each other.

Signal 03 — A Coordinated Policy Week, Not a One-Off

Sutton's comments are most informative read alongside the federal AI executive order and Anthropic's Glasswing expansion the same week. Independently, each is a single data point; together they show government and industry converging on a shared premise — that advanced AI is now central to cyber offense and defense, and must be secured as it is deployed. For security leaders, the signal is that AI-and-cyber is consolidating into a coherent policy and industry agenda rather than scattered announcements, which makes it worth tracking as a trend line. The open question across all three is the same: whether the follow-through — funding, requirements, safeguards, execution — matches the stated intent.

Sources