Computer science and particularly information security stories can occasionally “color” more general discourse, such as rampant speculation of cyber components of recent conflicts. But rarely do highly technical items reach true “escape velocity” to inundate popular media. The past few days have observed just this phenomenon with Anthropic’s announcement of its latest general-purpose language model, Mythos. Notably, the model was not released to the general public as it was effectively deemed “too dangerous” for public use, thus generating significant amounts of media coverage.
The marketing element of essentially advertising your technology as too dangerous for mere mortals to use is powerful, and having such claims breathlessly repeated by general and major media outlets is incredibly valuable. Of note, Anthropic does have a bit of a track record in this arena of “responsible” AI development, use, and disclosure, so the effort to hold back this model (and avoid immediate harm) is not without value or precedent. However the ensuing safety effort, dubbed Project Glasswing, raises additional questions and concerns as far as the scope, direction, and efficacy of these initiatives are concerned.
Before addressing Glasswing, it is worth emphasizing that while the Mythos model is not available for direct experimentation by the general public, quite a bit of information has been made public for review. Notably, the system card is publicly available, including a dedicated section on cyber applications. Looking at this, some interesting details emerge. For example, in analyzing testing against Firefox 147 and 148, Mythos is able to “outcompete” Claude Sonnet 4.6 in achieving exploitation, but appears to do so by narrowly focusing on permutations of two “primary” bugs within the software. When these foundational items are removed the earlier model actually does a better job of finding (and exploiting) vulnerabilities. It is also worth noting that when these root issues are addressed, experimentation also shows a significantly lower rate of exploitation across both models overall, with single-digit success rates.
Additionally, while Mythos was able to perform well in a cyber range evaluation simulating (by Anthropic’s own description) “small-scale enterprise networks with weak security posture (e.g., no active defences, minimal security monitoring, and slow response capabilities),” the model was less successful against more complex ecosystems. Furthermore the model was unable to solve a challenge simulating an operational technology (OT) environment, an arena where the most breathless media coverage typically resides.
While discussion with experts and those within the Glasswing ecosystem confirms Mythos has identified critical, long-lurking bugs in foundational software (e.g., the publicly noted weaknesses within OpenBSD), such observations must be tempered with the items above in mind. Mythos, like other advancements in AI models over the past few years, undoubtedly has pushed the boundary out in terms of machine capability and efficacy, but it is not “magic.” Bug hunting might accelerate quite rapidly and concerningly (if equal or greater investments in applying AI to defensive and patching use cases are not made), but as shown in Anthropic’s own analysis defense in depth, the application of common security controls, and active defensive postures all work against the possibility of effective autonomous hacking quite well.
Returning to Glasswing, the project was announced with the fanfare one might expect of efforts to cure a horrible disease or similar, trumpeting significant collaboration and coordination among a host of software organizations, companies, and consortiums.
These entities span the major commercial operating system providers (Microsoft and Apple) to open source consortia (the Linux foundation) to network device (among other) technology providers (Cisco and Palo Alto). At first glance, this appears to be a very robust cross-section of the technology landscape and surely represents the entities that “simply” need to be “in the room.”
And yet, some important things are missing. First and foremost, the Glasswing consortium is overwhelmingly weighted in favor of IT networks and technology. This makes sense at first glance, until considering the risks in vulnerability discovery (and exploitation) in other technology areas such as OT, internet of things (IoT), and medical device fields. While it is true that there is significant overlap with these technologies and Microsoft Windows and various flavors of Linux at the operating system level, there nonetheless are multiple unique applications, use cases, protocols, and similar that have significant implications for safety (not just security) that are completely missing. The lack of a Siemens, Rockwell, or Schneider Electric on this list is quite interesting and very much concerning.
This sense of “people are missing” extends to other arenas as well. The most common concern heard publicly and privately about Mythos is its ability to target foundational elements of the internet. Having a Cisco represented along with the “big” OS maintainers is thus good, but then we must ask: where are Juniper and Ericsson, responsible for hardware and software that underpins much of internet and telecommunications functionality? Or perhaps more controversially, organizations such as Huawei, given that company’s immense market share globally in key switching, routing, and networking gear?
Huawei may be an awkward outlier due to past controversies, but other organizations (say Siemens and Schneider Electric) seem relevant yet also share something in common: they are not US companies. Thus the list seems geographically (or perhaps politically?) skewed to a degree. While the companies in question are certainly global in footprint and impact, they are at the end of the day US-domiciled entities. Given the significant geopolitical and defense implications of the AI race, this may make a degree of sense but nonetheless is worth noting given the claimed impact of Mythos on global software security.
These concerns aside, some may advocate for restraint on not just deploying, but even developing, technology like Mythos. For those who have made it this far, you may think this article is heavily critical of Anthropic along these lines. Yet Anthropic has shown an admirable degree of restraint (opportunistic marketing aside) in this endeavor and has proven to be one of if not the most enlightened entities performing AI research and development. Which calls out another significant point: if Anthropic did not develop Mythos, someone else would (and almost certainly will eventually) create a similar capability, whether another of the major American AI companies or competitors in China or elsewhere.
Thus instead of bestriding athwart AI development (futilely) screaming “stop,” those concerned about developments such as Mythos should look for mitigating items. The idea of Glasswing is already quite decent, but its extent (particularly concerning IT-exclusive focus) argues for improved execution over time. We should thus learn from these experiences to ensure the “right parties” are engaged in these discussions and not lock ourselves into the same Silicon Valley/Valley-adjacent entities being the only representatives in the room in times of emerging crisis.
Combined with taking a more inclusive approach to secure and controlled AI development, there needs to be an emphasis and willingness to invest in mechanisms to mitigate the potential harms deriving from AI advancement. While one answer is “leverage AI to defend against AI,” such as using mechanisms like Mythos during software development lifecycles to ensure vulnerabilities are identified and fixed before being introduced in finished products, this only goes so far. The power plant, factory, or hospital network running legacy systems must deal with the technological debt (and errors) of years past and may not be able to rely on these improvements for quite some time.
More impactful measures would align with what Anthropic researchers discovered in their own end-to-end testing of Mythos in cyber range environments: adding defense in depth and security controls to reduce the overall impact of even zero day exploitation along with autonomous probing of networks. The problem with this approach, however, is that it is both time consuming and expensive to roll such approaches out to every water and wastewater utility or school district that could fall victim to AI-enabled capabilities. Critical policy and resourcing questions thus emerge that are simply not registering with those leading (or attempting to regulate) the AI revolution at the moment.
Mythos and Glasswing represent no small amount of hype, but contain very real and valid concerns beneath the media frenzy. While Anthropic is admirably attempting to responsibly push AI development forward, for reasons given above the entire AI and technology ecosystem must go further still to identify and mitigate the potential harms emerging within and from this field. Simply thinking that this type of development may stop or be reversed, however, is unrealistic and unreasonable. Mythos and similar may be decried as so much hype today, but the capabilities are very real and are only improving with time. Denying this and pretending such issues will go away is not merely unaccepting of the direction and pace of technological development, but represents a type of willful ignorance that has significant implications for the safety and security of both technologies and societies.
0 Comments