Cybersecurity authorities in Australia, Canada, New Zealand, the UK and the US issued a call to action for cyber defenders on Monday. The message was clear. Artificial intelligence (AI) is a powerful weapon for cyber attackers. Defenders must act quickly to strengthen their cyber defenses.
There is currently a lot of hype and uncertainty around AI and cybersecurity. This latest statement comes a little more than a week after the U.S. government forced frontier AI provider Anthropic to block access to its most advanced AI technology, Mythos and Fable, over concerns that it could be exploited by foreign adversaries to attack U.S. government systems.
In this demanding environment, it’s important for cyber defenders to ignore the noise and prioritize what’s truly important in protecting their systems.
call to arms
The joint statement was issued by the heads of the Five Eyes national cybersecurity agencies. It warns that AI is dramatically changing cyber risks and details how defenders must act to protect their organizations.
The report notes that powerful AI is already helping adversaries carry out more sophisticated attacks faster.
One way this happens is through automated vulnerability discovery and exploitation. No software is perfect. Attackers exploit subtle design or implementation flaws in a system’s software to gain entry into that system. They then take control of it and use it as a base from which to launch further attacks.
This is why it is so important for cyber defenders to stay up to date with software patch deployments. These are small changes to system software that block known vulnerabilities.
AI allows adversaries to discover flaws orders of magnitude faster and devise ways to exploit those flaws to carry out attacks.
As such, the Five Eyes statement warned that AI is dramatically reducing the time between when a vulnerability is first discovered and when it is first exploited in an attack. Defenders can no longer afford to wait weeks to deploy software patches.
What can the defender do?
The Five Eyes report points to the importance of cyber fundamentals and encourages organizations to use AI to strengthen their defenses. But it would be a mistake to implement AI without first investing in cybersecurity fundamentals.
The cyber defenders who can weather the AI storm will be those who already have mature practices in place. They know exactly what assets need to be protected, which systems within the organization are exposed to attack, and what defenses are in place to protect exposed systems. They also know to measure the effectiveness of their defenses and determine where they are lacking.
We also use an evidence-based process to track known vulnerabilities in our systems and prioritize those that are most important to patch. These are backed up by reliable processes for rapid testing and deployment of software patches and response to cyber breaches and incidents.
As AI makes it possible to discover software vulnerabilities cheaply, next-generation software must be designed to be built securely.
Finding the best way to do this is what I have dedicated my career as a researcher to.
Before reaching for AI, defenders must first invest in the fundamentals. Otherwise, you are effectively deploying a robot guard dog to guard unlocked doors.
The role of AI in cyber defense
This does not mean that AI cannot play an important role in cyber defense. It’s just that AI should play a key role. Augmentation than that exchange Strong cyber fundamentals.
AI benefits attackers and defenders alike. AI models that help attackers discover software vulnerabilities can also help defenders fix the same vulnerabilities.
AI that can automatically exploit software vulnerabilities can help defenders ensure that software is properly patched. AI that can map and discover sensitive assets within computer networks can serve both offensive and defensive purposes.
This is why it is so important for defenders to have access to AI capabilities so they can harden and protect their systems before those same AIs are used in attacks.
Will regulation help?
Thinking about how to balance the competing benefits and risks of new cybersecurity technologies is nothing new.
In the 1990s, society grappled with how to regulate encryption, which not only protects online communications from adversaries but also allows them to evade law enforcement.
The rise of cyber exploit kits in the 2000s allowed defenders to better test their systems, but it also enabled any disgruntled teenager with an Internet connection to become a “script kiddy” hacker, leading to the arms control debate a decade later.
The 2010s gave us blockchain technology such as Bitcoin and other cryptocurrencies. They were built on defensive cyber technologies, but their lasting legacy remains ransomware attacks and the rise of online illicit markets.
The rise of AI poses similar dilemmas for regulators.
A blanket ban on the export of advanced AI models is likely to be counterproductive. Open source AI models such as DeepSeek are only a few months behind state-of-the-art models from OpenAI and Anthropic. Recent research suggests that a combination of less powerful AI models and complementary technologies can close much of that gap.
Therefore, defenders must assume that their adversaries already have access to AI comparable to that used for cyber defense. Only by investing in a strong foundation can you escape the cat-and-mouse AI cyber arms race.
