Mythos – Anthropic's new language model that its creators say is too dangerous to be made public – has caused a huge stir around the world. In the United States, Treasury Secretary Scott Bessent and Federal Reserve Chairman Jerome Powell met with the CEOs of the largest banks to discuss the risks it may pose to the financial system. As reported by the New York Times The US administration has started discussing AI regulationwhich she has so far avoided, which would give her access to the latest versions of language models before they are released to the public. The top-level meetings sparked by Mythos are not limited to this country, however, as similar talks have taken place in Canada, Japan, the UK and other countries. Why this reaction, associated with crisis management?
Anthropic claims that Mythos significantly outperforms the language models known today in the tasks of analyzing code and finding security vulnerabilities. According to the company, it can effectively and – importantly – largely autonomously detect errors that people have not noticed for years.
In the right hands it could help make IT infrastructure more resilient than ever before, but in the wrong hands it could be a dangerous tool. Anthropic explains that this is why first makes Mythos available to a limited number of partnerswho can use it to test their own software and prepare for the moment when similar tools fall into the hands of attackers.
Reasons for the uproar in the financial sector
Why is it that the financial sector is seeing the greatest uproar over Anthropic's claims? We asked the experts of the NASK Cybersecurity and Infrastructure Center about this.
— It can be assumed that the more complex the system we want to examine in terms of finding vulnerabilities, the more time we need to spend on it. The IT solutions of any mature organization serving a large number of customers will be more complex and adequately secured (e.g. the simplest errors should not occur there). The use of artificial intelligence can significantly reduce the time needed to identify a vulnerability in such infrastructure. Banks are a perfect example here because their infrastructure is extensive, well secured, and additionally, potential significant financial benefits are an incentive for criminals – replies Iwona Prószyńska from CERT Polska.
So we have a collision of a potentially much faster process of finding vulnerabilities with a time-consuming and risky process of implementing patcheswhich in financial institutions always require a long testing and approval process. It is easy to imagine a situation in which this asymmetry causes a domino effect that paralyzes the world.
Institutions with extensive historical technological baggage have a particular headache. The foundations of some systems may go back decades – in the case of the US, even to the first IBM mainframe computers and code written in COBOL. The people who laid these foundations are often no longer alive, and there are few specialists who would be able to untie this Gordian knot of code and dependencies between systems.
Anthropic assurances under fire
This all sounds serious and it is not surprising that many institutions have become nervous. The problem with this whole situation, however, is this most information about Mythos' capabilities comes from Anthropic and cannot be verified because only a limited group of partners has access to the model. These include companies that have invested in Anthropic, which may have an interest in ensuring that this start-up preparing to go public is talked about as much as possible.
At the same time, analysis of the information provided by Anthropic shows that the narrative around Mythos looks exaggerated. As Iwona Prószyńska from CERT Polska explains, “Mythos is the first solution that commercialized the topic of vulnerability testing using AI. However, it is not a revolutionary solution, because even open/free models can already effectively search for vulnerabilities or largely reproduce the work of Mythos. It is a natural development of the fast-paced technology and the so-called proof-of-concept using commercial, the most advanced AI technologies available today.”
The entities that received access to the new Anthropic model include the Mozilla Foundation, the creators of the Firefox browser, but their statements were also criticized. The people behind the software's development reported that thanks to Mythos, they managed to fix a record number of bugs in April (423 compared to 76 fixed a month earlier). At the same time, they explain that not only the language model has improved, but also the entire set of tools they use. Because they do not present the results of comparative tests that directly compare the effectiveness of Mythos with another language model operating within the same system, it is still unclear how much of this is due to the new products from Anthropicand how much that the rest of the tools and the engineers themselves have simply become better at doing their job.
The creators of the Firefox browser who received access to Mythos say that thanks to AI they are able to detect many more errors. However, it is not known how much of this is due to the model itself and how much to the fact that AI as a whole and the ecosystem built around it have become much more effective.
Anthropic with image problems
All this is compounded by the situation around Anthropic. The company recently leaked the code of one of its most important tools, and access to Mythos did not protect it from errors that, for several weeks, made its publicly available flagship model much less effective and caused waves of user dissatisfaction. It also turned out that due to a mistake by Anthropic employees, an undesirable third party gained access to Mythos.
Anthropic also has well-documented computing power shortages, making it questionable whether it would be able to publicly release its new language model at all.
For all these reasons, there are more and more voices saying that the way of presenting Mythos as a model too dangerous to be made public immediately is more of a marketing ploy than a result of concern for the future of the world.
Dario Amodei, founder and CEO of Anthropic, often talks about wanting responsible AI development. However, many people question the purity of his motives
|
Kimberly White/Getty Images
The loudest of these voices is, of course, Sam Altman, head of OpenAI, in one of the podcasts he called Anhtropic's actions fear-based marketing and compared it to a situation in which someone threatens to drop a bomb on someone and a moment later offers to build a shelter for that person.
Of course, he is completely biased in this matter, as the head of a competing company in a dispute with Anthropic's management, but two facts speak in his favor. The first is that the latest version of Codex and the GPT-5.5 model are quite widely considered to be at least as good at programming as their latest widely available counterparts from Anthropic.
The second is that we have seen a narrative similar to the one built around Mythos before. A few years ago, OpenAI did not want to publicly release the GPT-2 model, arguing that it was too effective at generating realistic content and could be used for mass disinformation. In short, because it is too dangerous. Back then, one of the people co-responsible for research on GPT-2 was Dario Amodei, today the head of Anthropic.
Mythos is not the most important thing in this discussion
Ultimately we are unable to assess how much truth there is in Anthropic's assurancesbecause we do not have clear evidence for this. Simultaneously focusing on resolving this may simply be counterproductive.
Because regardless of whether Mythos is a breakthrough like Anthropic's announcement or just the next step in the evolution of AI, one thing seems certain – tools of this type are becoming more and more effective and will be available to more companies and users faster and faster. Artificial intelligence is already being used to generate malicious code and, as experts from CERT Polska say, “as the quality develops and the costs of using AI tools decrease, we expect a further increase in both the pace and scale of previously observed activities.” Whereas technological debt of government and financial institutions is a fact that must be faced sooner rather than later — no matter what percentage of myth is in Mythos.
From a practical point of view, this means a quite simple conclusion: In a world where the cost of mass searching for vulnerabilities and using them in an attack is rapidly decreasing, taking care of cybersecurity is not an option, but a necessity.
Luckily the risks presented by AI can be significantly reduced using simple methods that have been known for years. The key remains to limit the attack surface. As CERT Polska points out, “company services, if they do not necessarily have to be available from the public Internet, should be hidden behind a VPN gate or another solution that excludes simple access by third parties.”
In addition, there are other fundamental elements of digital security hygiene, such as user access management and regular software updates.
An old router with “vulnerable” software to which Internet of Things devices connect – a recipe for a ticking cybernetic time bomb
|
Cristian Gutu / Shutterstock
Whereas consumers should rethink their value hierarchy dictating their electronics choices and their approach to software updates. Old budget routers with software dating back to the previous decade, smartphones from manufacturers who do not update their systems, computers with blocked Windows updates. Devices of this type are already a source of cyber threats, but so far this has often not translated into real problems for the proverbial ordinary people. However, in a situation where it is becoming easier and cheaper to carry out mass attacks, such digital carelessness will sooner or later lead to problems.
