Anthropic's 'Mythos' AI Model Raises Cyber-Security Concerns Among Regulators

Claims by the leading AI firm Anthropic that its new model, 'Mythos', can outperform humans at certain hacking and cyber-security tasks have ignited discussions among regulators, legislators, and financial institutions regarding the potential dangers to digital services.

The company, which revealed 'Mythos Preview' in early April as part of its broader Claude AI system, stated that red-team researchers found the tool to be 'strikingly capable at computer security tasks'. They reported Mythos could locate and exploit dormant bugs, some present in code for decades.

Project Glasswing and Industry Access

Instead of widespread release, Anthropic granted 12 major tech companies, including Amazon Web Services, Apple, Microsoft, Google, Nvidia, Broadcom, and Crowdstrike, access to Mythos via 'Project Glasswing'. This initiative is framed as 'an effort to secure the world's most critical software', with Anthropic claiming to have provided access to over 40 organisations responsible for critical software.

Anthropic stated that Mythos Preview has 'already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser,' and predicted that such capabilities would 'proliferate, potentially beyond actors who are committed to deploying them safely.'

Regulatory Apprehension and Scepticism

Finance ministers and central bankers have voiced serious concerns, fearing the model could undermine the security of financial systems. Canadian Finance Minister François-Philippe Champagne indicated Mythos was discussed at an International Monetary Fund meeting, describing the technology as an 'unknown unknown'. Bank of England Governor Andrew Bailey similarly noted the need to 'look very carefully now what this latest AI development could mean for the risk of cyber crime.'

However, independent cyber-security analysts remain sceptical, with many yet to test the model themselves. The UK's AI Safety Institute concluded that while powerful, Mythos's primary threat would be against poorly defended systems, stating: 'We cannot say for sure whether Mythos Preview would be able to attack well-defended systems.'

Critics suggest that it is in Anthropic's commercial interest to highlight never-before-seen capabilities, making it challenging to differentiate genuine breakthroughs from industry hype. Former head of the UK's National Cyber Security Centre, Ciaran Martin, noted that while the claims have 'really shaken people', the most crucial response is not panic, but rather a concerted effort to implement sound basic cyber-security, as many existing vulnerabilities can be exploited without advanced AI tools.