Anthropic's Mythos AI Model Identified as Critical Cybersecurity Threat
Anthropic, the US tech startup behind the Claude chatbot, has confirmed that its latest AI model, Mythos, represents a serious potential threat to global cybersecurity. The company announced on 7 April that it would not release Mythos publicly due to its advanced capabilities in identifying and exploiting unknown flaws in IT systems.
What Is the Mythos AI Model?
Mythos is an AI model that powers tools like chatbots, but with a dangerous twist: it can detect "zero-day" vulnerabilities in every major IT operating system and web browser. These flaws, which organisations have had no time to patch, could theoretically be exploited by hackers if the model is misused. Anthropic described this as a "watershed moment for cybersecurity," noting that some of these unnoticed flaws have existed for decades.
The startup has allowed select tech firms and banks, including Apple and Goldman Sachs, to access Mythos through Project Glasswing, an initiative launched on 8 April. This project enables businesses to test the model's impact on their cybersecurity defences, with Anthropic promising to share insights for industry-wide benefit.
Why Mythos Raises Alarm Bells
According to the UK's AI Security Institute (AISI), Mythos provides tangible evidence of the disruptive capabilities of advanced AI. Since the arrival of OpenAI's ChatGPT in 2022, experts have warned that AI could cause significant real-world damage, and Mythos accelerates these concerns by demonstrating rapid progress in the field.
Advanced AI models like Mythos are often replicated quickly by other firms, including open-source developers, making it harder to control their spread. In a joint letter last month, UK Technology Secretary Liz Kendall and Security Minister Dan Jarvis urged businesses to "plan accordingly" for AI capabilities to "rapidly increase" over the next year.
Despite being withheld from public release, fears about Mythos falling into the wrong hands were realised this week when Anthropic confirmed that a "handful" of users in a private online forum gained unauthorised access. This incident underscores the challenges tech companies face in keeping high-risk products secure.
Expert Assessments and Industry Reactions
The AISI, the world's leading AI safety body, has assessed Mythos and found it to be a "step up" from previous models in terms of cybersecurity threats. Key red flags include its ability to carry out multi-step attacks and identify IT flaws without human guidance. In a test, Mythos successfully completed a 32-step simulation of a cyber-attack, though its effectiveness against well-defended systems remains unverified.
Richard Horne, CEO of the UK's National Cyber Security Centre, stated at the CyberUK conference that Mythos's emergence would drive urgency in replacing "obsolete tech." However, some experts, like those from Aisle, an AI cybersecurity company, argue that Mythos is more an evolution than a revolution. They note that other, cheaper models can also find similar vulnerabilities, suggesting nuance in Anthropic's urgent warnings.
Experts caution that most breaches still stem from well-known risks, such as weak authentication or unpatched vulnerabilities, and there may be hype around Anthropic's claims. As a startup valued at about $800 billion, Anthropic's dramatic announcement has centred Mythos in broader discussions about AI's role in cyber-risk.
Implications for Tech Companies and Banks
About 40 companies, including Google, JP Morgan, and Goldman Sachs, have early access to Mythos via Project Glasswing. While they have not detailed their findings, regulators are deeply concerned. UK government modelling on a worst-case bank hack, predating Mythos, suggests potential chaos: failed direct debits, blocked online banking, and panic-driven runs on lenders.
In response, US Treasury Secretary Scott Bessent met with bosses from major American banks earlier this month, and UK regulators have added Mythos to high-level discussions at the Cross Market Operational Resilience Group. These meetings involve senior bankers and officials from the Treasury, Bank of England, Financial Conduct Authority, and National Cyber Security Centre, highlighting the model's perceived threat to financial stability.
As AI continues to evolve, Mythos serves as a stark reminder of the dual-edged nature of technology: while it can defend against cyber-attacks, it also poses unprecedented risks that demand vigilant oversight and proactive planning from businesses and governments worldwide.
