Anthropic has removed its latest AI model, Mythos, from public release, citing threats to global cybersecurity.
But the US technology startup that developed the Claude chatbot confirmed on Wednesday that it was investigating reports that some people had compromised Mythos. The alleged incident raised concerns about the pace of development and the ability of tech companies to keep their riskiest products out of the public domain. Here we consider myths and their potential impact.
What is Mythos?
According to Anthropic, Mythos is an AI model (the underlying technology that powers tools like chatbots) that represents a serious potential threat to the cybersecurity of any organization. Anthropic announced the existence of Mythos on April 7, but said it would not release it to the public because of its ability to identify unknown flaws in IT systems. In theory, these flaws could be exploited by hackers.
Anthropic said Mythos can identify and exploit “zero-day” flaws in all critical IT operating systems and web browsers if users request it. Zero-days are so called because organizations and developers were completely unaware of them and did not have time to patch them before the attackers attacked.
Anthropic described this as a “tipping point for cybersecurity.” The San Francisco company says some of the unnoticed flaws have been present for decades.
The startup allows tech companies and banks, including Apple and Goldman Sachs, to access the model and assess what risks it may pose to their businesses and customers.
Why the concern?
According to the UK’s AI Security Institute (AISI), Mythos represents concrete evidence of the disruptive capabilities of advanced AI. Ever since OpenAI’s ChatGPT debuted in 2022, experts have warned that AI could cause serious real-world damage.
More broadly, Mythos shows the pace of progress in AI. Advanced models tend to be quickly replicated by other companies, including developers of open-source models that are freely available to users. In a joint letter to business leaders last month, UK Technology Secretary Liz Kendall and Security Secretary Dan Jarvis said businesses need to “plan accordingly” as AI capabilities “rapidly improve” over the next year. Of course, AI can also be used to defend against cyberattacks.
Another concern is that Mythos could fall into the wrong hands, even though its release has been withheld. Those fears became reality this week when Anthropic confirmed that a “small number” of users had accessed the model in a private online forum.
However, there are questions about the significance of the thousands of vulnerabilities reported by Mythos. Can it cause significant damage? Moreover, highlighting an IT flaw is not the same as exploiting it.
Has Mythos been evaluated by experts?
AISI, the world’s leading AI safety agency, reviewed Mythos and described it as a “step up” from previous models in terms of threats to cybersecurity. Red flags include the ability to execute multi-step attacks or identify IT flaws without human guidance.
We also achieved a first for AISI by successfully completing a 32-step simulation of a cyber attack in a test created by AISI. AISI said it could attack vulnerable and small IT systems, but could not make judgments about well-defended systems. The institute concluded its evaluation with views well expressed elsewhere. This is where AI systems can only improve.
Richard Horne, chief executive of the UK’s National Cyber Security Center, said at the CyberUK conference in Glasgow this week that the arrival of Mythos would help businesses replace “outdated technology”. “It just adds to the urgency,” he added.
But other experts say Mythos is more an evolution than a revolution. Aisle, a company working on AI cybersecurity, analyzed Anthropic’s main claims. It says it has discovered thousands of zero-day vulnerabilities across a large range of operating systems and browsers, including vulnerabilities in FreeBSD, a relative of UNIX. It turns out that other much cheaper models can also find these problems. This doesn’t mean Mythos’ abilities aren’t important, they said, but it means there’s more nuance than Anthropic’s urgent tone suggests.
Experts also warn that most breaches still stem from established risks such as weak authentication and known unpatched vulnerabilities.
Some experts suggest there is an element of hype around Anthropic’s claims about Mythos and how the startup, estimated to be worth around $800bn (£592bn), has presented it. Mythos is definitely a capable model. But Anthropic’s dramatic announcement significantly reduced its airtime and put its product at the center of a broader, field-wide conversation about how AI contributes to cyber risk.
How are technology companies and banks involved?
About 40 companies, including Google, JP Morgan, and Goldman, were granted early access to Mythos through an initiative called Project Glasswing. This is intended to give businesses the opportunity to test AI models as part of their cyber defense. Anthropic says it will share its learnings “so that the entire industry can benefit.”
However, the launch partners have not provided details about what they think Mythos is capable of or how much of a threat it could pose.
Nevertheless, banks and regulators have not stopped speculating about its potential impact. There’s a good reason for that. If Anthropic’s warnings are correct, Mythos could wreak havoc on banks and put the broader financial system at risk if it falls into the wrong hands.
The UK government has modeled the worst-case scenario of a bank hack that predates the creation of Mythos, suggesting direct debits could fail, rents, mortgages and wages could go unpaid, and online banking and automated teller machine withdrawals could be blocked. Commuters could be stranded as buses and gas stations refuse to pay. Customers withdrew funds from their accounts over fears of widespread chaos, sparking panic and potentially leading to a scramble with rival lenders.
Concerns about the potential threat from Mythos led U.S. Treasury Secretary Scott Bessent to convene a meeting in Washington earlier this month with executives from major U.S. banks, including Goldman and Citi.
The UK regulator has added Mythos to the agenda of this week’s Cross Market Operational Resilience Group meeting. This has led to high-level discussions between bank executives as well as officials from the Treasury, the Bank of England, the Financial Conduct Authority and the National Cyber Security Centre.
