Anthropic’s Claude Mythos is said to be the most powerful AI model created so far. It is so powerful that: (a) Anthropic says that it cannot fully control it; and (b) the “model found decades-old vulnerabilities in foundational open-source code that millions of automated tests and countless human experts had missed, presaging a potentially revolutionary moment in cyber.”
In this blog post, two experts – Ben Buchanan and Michael Sulmeyer – tell us why Mythos is a big deal.
Ben Buchanan is adviser to Anthropic, former senior advisor for AI at the White House now at SAIS, and Michael Sulmeyer, former Assistant Secretary of Defense for Cyber Policy now at Georgetown.
Dr. Michael Sulmeyer is Professor of the Practice at Georgetown University’s School of Foreign Service. Previously, he was the first Senate-confirmed Assistant Secretary of Defense for Cyber Policy and the Principal Cyber Advisor to the Secretary of Defense. In these roles, he was responsible for overseeing the Department of Defense’s cyber policies and operations. Prior to his appointment as Assistant Secretary, Dr. Sulmeyer served as the Principal Cyber Advisor to the Secretary of the Army. Before his time with the Army, Dr. Sulmeyer served in multiple positions in the Office of the Secretary of Defense.
The experts first explain why Mythos’ capabilities are unprecedented and remarkable: “What this system does at its core is it takes a general-purpose capability — it is not a cyber-specific model — and applies it to the business of vulnerability discovery and exploit development. As Michael can attest very well, these are fundamental tasks in cybersecurity: finding a weakness in a piece of computer code and then figuring out how to exploit that weakness to do something as an attacker that you’re not allowed to do.
The evidence is very clear that Claude Mythos is by far the best automated system in the world ever to do this, and is better than even some of the best expert humans — or close to some of the absolute top-tier expert humans — at this task of vulnerability discovery and exploit development. The proof is in the pudding. It found vulnerabilities in code that all of our operating systems and all of our browsers are running. Those vulnerabilities in some cases had lurked there for multiple decades. In some instances, we thought that code was secure. Millions of automated tests had been run on it, and yet Mythos found ways to exploit it. There is a real raw capability here that is vital.”
Then after telling us that their shock & awe coder community regarding what Mythos can be, the experts tell us that Mythos now gives the US another source of military muscle it can use against other countries (by secretly using Mythos to spot flaws in their cybersecurity infrastructure). However, in order to do that, Anthropic and the US Government would have to stop fighting (something that we highlighted using this New Yorker article a month ago).
The two American experts are obviously delighted about the new offensive possibilities Mythos opens up for the US armed forces: “What something like this allows for is a new set of options — if used for offense and exploitation purposes — a new way to really scale those options for decision-makers. Whatever the expected outcome is, for better intelligence collection or other types of purposes, it really opens up the opportunity space.”
However, Mythos can do more than spot vulnerabilities in cybersecurity system; it can destroy tech infrastructure: “We saw the glimmers of it in 2019 and 2020, but Mythos is really doing it — not just in vulnerability discovery, though that’s a key part of it, but throughout the process. There’s something in the system card for Mythos where it carried out a simulated network exploitation that would have taken a human 10 hours. So there really is evidence now that what cyber operators call the kill chain can be transformed by AI capabilities.”
The next logical step is for Mythos to be deployed in the battlefield. The experts speculated that the Ukraine-Russia conflict might be first live deployment of Mythos (to cripple Russia’s cyber infrastructure).
However, the experts also say that it also makes sense for the Americans to keep their mouth shut in public about Mythos whilst quietly using its capabilities: “My view for decades has been that the advantage of cyber is not the whiz-bang sky-is-falling blackout — though you can do that sometimes — it is the slow, insidious shaping of the environment and collection of information. A capability to find vulnerabilities and exploit them autonomously would really help on that side of the ledger…cyber operations were suited to shaping: stealing a card, stacking the deck, rather than changing how the other side plays its hand. I don’t think Mythos changes that.
The broadest thing you could say about a capability like this is, in the abstract, it has some brandishing value or maybe even deterrent value because it bolsters the status of the nation that has it. But I imagine a government who truly wanted to play offense would want this kept quiet so that people don’t go looking for it. Anthropic has very clearly come out and said their goal for this technology is not to play offense — their goal is to tilt the balance of power in cyber operations to the defender.”
Mythos is also likely to speed up the amount of time it takes to build a new tech ecosystem because Mythos – by spotting bugs & vulnerabilities quickly – will speed up testing. However, in case you think, you firm will be able to buy Mythos, the experts speculate that USA is likely to put export controls on Mythos.
If you want to read our other published material, please visit https://marcellus.in/blog/
Note: The above material is neither investment research, nor financial advice. Marcellus does not seek payment for or business from this publication in any shape or form. The information provided is intended for educational purposes only. Marcellus Investment Managers is regulated by the Securities and Exchange Board of India (SEBI) and is also an FME (Non-Retail) with the International Financial Services Centres Authority (IFSCA) as a provider of Portfolio Management Services. Additionally, Marcellus is also registered with US Securities and Exchange Commission (“US SEC”) as an Investment Advisor.
