AI and new era of cyber threats

The chief promise of artificial intelligence is turbocharged productivity.

The trade-off? Epic disruption.

As AI outpaces regulation, many things will worsen before they improve. That includes malicious cyber threats.

Earlier this month, AI developer Anthropic decided against publicly releasing its latest tool, Mythos Preview. Despite not being trained for cybersecurity, the model’s superpowered coding skills have unearthed thousands of global internet vulnerabilities. It easily spotted flaws in all major operating systems and web browsers.

It’s a hacker’s dream.

Mythos breached video software previously tested more than five million times. It escaped its digital sandbox as well, tapping into a restricted internet access point. The AI model then published about its feats on several obscure websites.

It’s another sign of the technology’s stunning maturation.

“Two years ago, the best available models could barely complete beginner-level cyber tasks,” warns the U.K.’s AI Security Institute. “Now, in controlled evaluations where Mythos Preview was explicitly directed and given network access to do so, we observed that it could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously — tasks that would take human professionals days of work.”

Anthropic has sequestered Mythos for now. Only a few dozen core web service providers — all U.S. companies — have access for use plugging holes in internet architecture. But there’s a problem: Anthropic’s competitors aren’t far behind. And they may lack similar restraint.

“Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely,” Anthropic predicted in a blog post. The company’s co-founder recently told an audience in Washington, D.C. that rival models will emerge in under two years.

Yet that timeline might be way too conservative. Days after Anthropic lifted the lid on Mythos, OpenAI gave researchers limited access to a cybersecurity offshoot of the large language model underpinning ChatGPT. Expect Chinese open-source models to come soon, too.

Alarms are blaring across the financial industry.

Executives on Wall Street, Bay Street and elsewhere are scrambling to reinforce their networks. Mythos also dominated conversations among central bankers at an April meeting of the International Monetary Fund.

Canada’s AI Minister Evan Solomon was swift to tell reporters this month that Canada is well-positioned to weather emergent cybersecurity risks posed by AI. But political leaders may ultimately hurt progress as much as they help. Their tendency is to slow roll difficult and costly solutions.

Plus, there’s geopolitical stakes involved.

“The state of cybersecurity is abysmal and AI-assisted coding has been making it worse,” writes Semafor’s technology editor. “Part of the problem is that world governments, which are in the position to do something about cybersecurity, also exploit software vulnerabilities for spying and other national security purposes.”

In November, Anthropic reported that Chinese-linked hackers used its flagship Claude tool to automate cyberattacks against at least 30 entities worldwide. Among those targeted: large tech firms, chemical manufacturing companies, financial institutions and government agencies. Meanwhile, the White House has deprioritized cyber defence in America’s new offensive-first cyber strategy.

But rich-world banks, large corporations and government agencies have enviable resources to adapt. Individuals, small businesses and developing nations face much greater danger.

Criminal groups already rake in enormous sums every year from ransomware and other cyber scams. By 2028, the total quantifiable harm of cybercrime is forecast to reach nearly US$14 trillion. That equates to the world’s third largest economy behind only the U.S. and China. It’s also surely a massive undercount — most cybercrime victims shy away from reporting it.

AI-enabled digital predation will also increasingly target newly middle-class communities and industries in the Global South.

“Already prevalent in Latin America, cybercrime will continue to spread to parts of Asia and West and Southern Africa, as affluency grows and internet connectivity brings large swathes of the global population online,” reads a 2024 report from the World Economic Forum.

The silver lining: AI-driven cyber defences will progressively deter and disarm bad actors long-term. But that will first require large amounts of research and international co-operation, bug patching, stress-testing of networks and public education. These all take time.

“I really believe we will be safer and better, and we will be much more secure with AI,” a former cybersecurity lead at the U.S. National Security Agency told Bloomberg recently. “But I think there’s this dark period between now and some time in the future where the advantage is very much offensive AI, where the people who haven’t done the basics will get hacked.”

Time to start brushing up on those basics.

Kyle Volpi Hiebert is a Montreal-based political risk analyst focused on globalization, conflict and emerging technologies.