Constangy Cyber Advisor 

With great power comes great responsibility.

Before artificial intelligence became readily accessible, cybersecurity risks were dependent on criminals’ direct labor. That is, criminals faced the same limitations that any worker faces – most significantly, that there are only a certain number of hours in a day. These limits inevitably limited cyber crime in the past. 

But AI is removing these limitations for both legitimate and illegitimate activities. Agentic AI – autonomous AI systems that can complete tasks and meet objectives with minimal human supervision – may make cyber criminals more efficient. Agentic AI has greater capabilities and may be capable of “acting and making decisions in a way a human might.” This increased productivity is, of course, a good thing when the objectives benefit society. Unfortunately, it is easy to envision how criminals can exploit Agentic AI systems to engage in criminal activities without the limitations of human labor or even earlier AI models.

The potential for supercharged criminal activity made possible through Agentic AI is receiving scrutiny as this technology becomes more available. A blog post recently leaked from Anthropic, an AI company, discusses its new AI model, Claude Mythos, and provides insight into this emerging cyber threat. In what is described in the internal Anthropic documents as potentially the most powerful AI model ever created, the blog post makes clear that Anthropic has concerns that Mythos may create new cybersecurity risks.  Specifically, Anthropic’s concerns are that Mythos could be used for crime by exploiting victims’ system vulnerabilities and outgunning current cybersecurity defenses. 

Anthropic has already started to prepare government agencies and corporations for the potential impact of Mythos. Reports indicate that while preparing for the release of Mythos, Anthropic briefed U.S. government officials of the possibility that Mythos could be used for large-scale cyberattacks. AI models currently in use create security threats when AI agents or assistants work on their own to exploit vulnerabilities in a system or network. In general, “[a] single AI agent could scan for vulnerabilities and potentially take advantage of them faster and more persistently than hundreds of human hackers.” Agentic AI models would increase these threats to the extent they do not need humans to oversee their criminal activities. 

The leaked Anthropic blog post indicates that Anthropic will initially limit access to Claude Mythos in order to address “cybersecurity uses” at its launch. The Anthropic blog post raises the following concerns:

• “We have written several times in recent months about the rapid progress in AI models’ cybersecurity skills—skills that can be used for good or for ill.”
• “We’ve documented the ways in which models can be used to rapidly discover vulnerabilities in codebases; we’ve also shown how they’re already being used to commit large-scale cyberattacks.”
• Anthropic states that by its own assessment Mythos “presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders.”

Based on these concerns, the leaked blog post states that Anthropic’s plan to release of Mythos “focuses on cyber defenders.” This early access to legitimate organizations is intended to provide “a head start in improving the robustness of their codebases against the impending wave of AI-driven exploits.” 

As recognized by Anthropic, the power balance will be shifted when criminals use Agentic AI systems to exploit systems and defenses relying on humans. The persistent threat created by the new breed of AI systems demands that organizations evolve, and incorporate this technology into their defenses. Larger organizations may be able to adapt to the criminal use of Agentic AI agents, but smaller ones will also need to find ways to defend against this new threat. It will be critical for all organizations to at least be familiar with new threats and the emerging defenses against these threats.

The Constangy Cybersecurity & Data Privacy Team helps businesses of all sizes and industries develop a comprehensive incident response plan or support with a breach. We are here to help! The Constangy Cyber Team is available 24/7. Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.