Anthropic has decisively opted not to unveil its latest AI model, Mythos, to the public, citing significant concerns regarding its potential threat to global cybersecurity.
On Wednesday, the U.S. tech startup behind the Claude chatbot disclosed it is probing a report indicating that an unauthorised group may have accessed Mythos.
This alleged breach has ignited apprehension about the rapid pace of technological advancement and the capability of corporations to safeguard their most perilous products from public exposure. Here, we delve into the intricacies of Mythos and its conceivable ramifications.
What is Mythos?
Mythos is an advanced AI model—an essential technology that underpins various tools, including chatbots—that, according to Anthropic, poses a considerable threat to the cybersecurity of any organisation.
Anthropic announced the model’s existence on April 7, declaring it would not be publicly released due to its capacity to identify previously unknown vulnerabilities within IT systems—flaws that could, in theory, be weaponised by cybercriminals.
Anthropic asserts that Mythos can identify and exploit “zero-day” vulnerabilities across all major IT operating systems and web browsers if prompted.
These zero-day vulnerabilities are so designated because organisations and developers are blissfully ignorant of them, lacking the time to deploy patches before an attacker intervenes.
The company has characterised this as a “watershed moment for cybersecurity,” revealing that some of the undetected vulnerabilities have persisted for decades.
In a significant move, the startup has permitted various tech enterprises and financial institutions, including Apple and Goldman Sachs, to interact with the model to evaluate the potential risks it may pose to their operations and clientele.
Why is it a cause for concern?
According to the UK’s AI Security Institute (AISI), Mythos exemplifies the disruptive prowess of advanced AI. Since the advent of OpenAI’s ChatGPT in 2022, experts have raised alarms about the possible real-world implications of AI technology.
A broader concern lies in the implications of Mythos as a harbinger of AI’s accelerating proliferation. Advanced models are often swiftly replicated by other firms, including those specialising in open-source software readily accessible to users.
In a recent communique directed at business leaders, the UK technology secretary, Liz Kendall, and security minister, Dan Jarvis, insisted that enterprises must “plan accordingly” for the swift evolution of AI capabilities in the upcoming year. It is noteworthy that AI can also serve as a defensive tool against cyber threats.
Further compounding these apprehensions is the potential for Mythos to be appropriated by malicious actors, despite its restricted public release. This concern materialised recently when Anthropic confirmed that a “handful” of users within a private online forum had successfully accessed the model.
However, a pertinent inquiry remains: how critical are the myriad vulnerabilities flagged by Mythos? Can they inflict substantial damage? It’s essential to differentiate between highlighting an IT flaw and the actual exploitation of one.
Has Mythos been assessed by experts?
The AISI, the premier global body dedicated to AI safety, has evaluated Mythos and categorises it as a significant upgrade from earlier models concerning its cybersecurity threats.
Among concerning features are its ability to execute multi-step attacks and identify IT weaknesses without human intervention.
In a notable achievement, it completed a 32-step simulation of a cyber-attack in a test devised by the AISI. The model is capable of targeting weak, smaller IT systems, although a definitive judgement on its efficacy against well-protected systems remains elusive.
The institute concluded its assessment with a familiar caution: AI systems are poised for continual enhancement.
Richard Horne, CEO of the UK’s National Cyber Security Centre, remarked at the recent CyberUK conference in Glasgow that Mythos’s emergence underscores the necessity for companies to replace “obsolete tech.” “It just drives the urgency,” he emphasised.
Conversely, some experts argue that Mythos represents more of an evolution than a revolution. Aisle, a firm specialising in AI cybersecurity, scrutinised Anthropic’s assertions that it unearthed thousands of zero-day vulnerabilities across significant operating systems and browsers, even identifying one in FreeBSD, a UNIX derivative.
They concluded that other, more cost-effective models could also detect these issues. While Mythos’s capabilities are indeed noteworthy, the nuances may be more complex than Anthropic’s urgent proclamations suggest.
Experts caution that most breaches continue to stem from well-known risks, such as inadequate authentication and unpatched vulnerabilities.
Some analysts propose that a degree of hyperbole surrounds Anthropic’s claims about Mythos, particularly given the startup’s valuation of about $800 billion (£592 billion).
While Mythos is undoubtedly a formidable model, the dramatic announcement from Anthropic has amplified its visibility, prompting a broader discourse on how AI may exacerbate cyber risks.
How are tech companies and banks involved?
Approximately 40 companies, including Google, JP Morgan, and Goldman Sachs, have received early access to Mythos through an initiative dubbed Project Glasswing, a program aimed at enabling businesses to incorporate the AI model into their cybersecurity frameworks. Anthropic asserts that the insights gleaned will be disseminated “so the whole industry can benefit.”
Nevertheless, the launch partners have refrained from divulging specifics regarding their assessments of Mythos’s potential capabilities and threats.
This lack of clarity has not deterred banks and regulatory authorities from speculating about its prospective implications.
Given the gravity of Anthropic’s warnings, the possibility of Mythos landing in the wrong hands poses substantial risks to financial institutions and the overarching stability of the financial ecosystem.
Models from the UK government regarding a hypothetical worst-case bank cyber-attack, developed even prior to Mythos’s conception, indicated that direct debits might fail, resulting in unpaid rents, mortgages, and wages, while access to online banking and ATMs could be obstructed.
Commuters might find themselves stranded as public transport and fuel stations reject transactions, potentially inciting panic and leading to a run on competing banks as consumers withdraw funds, fearful of the contagion of disruption.
The potential threats posed by Mythos prompted U.S. Treasury Secretary Scott Bessent to convene a meeting with executives from major American banks, including Goldman and Citigroup, in Washington earlier this month.
Furthermore, UK regulators have prioritised Mythos in discussions at the Cross Market Operational Resilience Group, ensuring it occupies a prominent place in high-level dialogues involving senior bankers alongside officials from the Treasury, Bank of England, Financial Conduct Authority, and National Cyber Security Centre.
Source link: Theguardian.com.
