The AI industry is far too advanced to sell itself with an old-fashioned message like: “We have a great product, subscribe and we think you’d like it.” If you’re selling large language models, you need something much more cortisol-inducing: “Our product is so advanced it’s literally the apocalypse, it is a vastly powerful demon on the brink of escaping its cage, subscribe and perhaps it will spare you.”
This is an approach OpenAI has pioneered since 2019, when it told the world it wasn’t going to release its early GPT-2 model because it would be dangerous in the wrong hands (they released it anyway). Last week, Anthropic issued a similar message about its new model, Mythos, which it is also declining to release (they will release it anyway), because it has become capable of hacking everything in the world. Or rather, that is what many people and publications have decided to infer from the company’s warning that the model “found thousands of high-severity vulnerabilities, including some in every major operating system and web browser”.
A more sober analysis was published this week by Britain’s AI Security Institute, which has also evaluated Mythos and found that when tested in controlled simulations, it is “a step up” on previous models. It is the first model to solve a lengthy and difficult hacking test which AISI devised (and which it would take an experienced human around 20 hours to complete). But these are controlled tests, quite different from the real world. “We cannot say for sure,” the AISI concluded, “whether Mythos Preview would be able to attack well-defended systems.”
Mythos is not, then, a doomsday device for cyber security, and in the long run, cyber security experts I’ve spoken to say it may well make software and systems more robust, because it will allow for much more thorough testing of products before they’re released. But in the short term, AI models are going to create what experts have described to me as an “avalanche” of newly discovered vulnerabilities, for which the world’s companies and their IT managers are “not prepared”.
The big change is how easily AI models discover vulnerabilities. In the past, companies have held hacking competitions, and “bug bounty” programmes in which large sums – millions of dollars – have been paid out to people who find cracks in their defences. AI models find these vulnerabilities much more quickly than people can. It’s worth noting that this isn’t simple – some of the vulnerabilities found by Mythos reportedly involved spending tens of thousands of dollars on computing power – but also that Mythos is not wildly different in its capabilities, just further ahead. All of the major commercial models can also find vulnerabilities and are expected to catch up.
Criminals know this, and have changed their attitude to AI in the past one to two years. When generative AI became popularised by the release of ChatGPT, there was a concern that bad-guy versions (called things like “WormGPT”) would start creating viruses at scale. Most criminals found these models laughable. Now, however, they are using the same commercial models as everyone else, because they have all improved dramatically at finding vulnerabilities and creating exploits, especially within the past year. Again, Mythos is just the leading edge of this trend, which already exists and for which most companies have not prepared.
A normal person might assume that when a company’s executives and IT managers are told about a vulnerability in their equipment, they drop their coffees and sprint down a corridor to fix the thing immediately. This doesn’t happen. IT tends to fix a company’s “computers” (laptops), but not its other computers (routers, power supplies, printers, industrial controllers). And even if it was IT’s job to fix those things, doing so might require the factory to shut down or the building to close for a time, which is often too expensive to contemplate. The result is that many known vulnerabilities aren’t patched (fixed) by users for a year or more – many aren’t patched at all – because there is a financial incentive for users to defend themselves as slowly as possible.
The financial incentive for attackers, meanwhile, is accelerating. When someone finds a way into a machine or a network, that access becomes an asset which can be sold on. The speed at which this happens has increased enormously in recent years. In 2022, when the world found out about ChatGPT, it usually took about a working day (eight hours or more) for access to be handed over to a buyer. That’s pretty fast for selling on stolen goods – but now, less than four years later, it takes a little over 20 seconds. This isn’t the result of an AI with Mythic credentials coming up with genius-level exploits – it’s the more boring, but arguably just as consequential, business of automation bringing together buyers and sellers of exploits as quickly as if they were trading on a stock exchange. Automation has created the fastest and most efficient market for crime that has ever existed.
What happens after access is handed over has also changed. Until recently, most cyber attacks involved doing something to the compromised system straight away – stealing from it, locking it, breaking it. The other option is to wait, explore, find things out. As recently as 2023, only about a quarter of attacks were this patient, but now almost all of them are: having exploited a system, nine times out of ten, attackers will now wait, gathering information. What this means is that a large amount of the AI-enabled hacking that people who worry about Mythos doing has, in fact, already happened.
The next few years will be consequential for cyber security. Experts are optimistic about the capacity of AI models to test and secure new software, but it is often older things that are the problem: Mythos found a vulnerability in a secure operating system that had existed, undiscovered, for 27 years. Companies may feel tempted to use AI to discover all the possible vulnerabilities in their products and release patches for them – their legal departments might well advise them to do so – but if only a small minority of users install those patches, they’ll just be broadcasting lots of new weaknesses for criminals to exploit. This might be part of the reason Anthropic is so nervous about the capabilities of Mythos – not because it is a skeleton key into every computer system in the world, but because a lot of those doors were already open.
[Further reading: How AI took over the British government]
Content from our partners
Related
Join the debate
Subscribe here to comment