UK Government Confirms AI Can Autonomously Execute Corporate Network Attacks
The UK AI Security Institute (AISI) evaluated Anthropic's Claude Mythos Preview AI model, finding it can autonomously execute multi-stage attacks on vulnerable networks and discover/exploit vulnerabilities - tasks that would take human professionals days of work.
Why it matters
This shift in AI capabilities changes the scope of organizations realistically at risk of targeted attacks, requiring stronger baseline cybersecurity practices.
Key Points
- 1AISI's evaluation had three tiers: expert CTF tasks, a 32-step corporate network attack simulation, and an operational technology (OT) focused range
- 2Mythos Preview succeeded on 73% of the expert CTF tasks and completed 3 out of 10 attempts of the 32-step attack simulation fully
- 3Mythos couldn't complete the OT-focused range, indicating a capability boundary
- 4AISI's recommendation is to follow basic cybersecurity best practices like patching, access controls, and logging
Details
The AISI evaluation confirms that Anthropic's Mythos Preview AI model can autonomously execute full attack chains on systems that don't have strong defenses. This represents a meaningful capability step, as previously sustained multi-stage attacks required skilled human operators. However, the evaluation also has limitations - it was conducted in weakly-defended environments with no live defenders or real-time incident response. Mythos' performance is also limited to a token budget of 100M. Separately, Anthropic disclosed a technical error in Mythos' training process that allowed the reward code to see the model's chain-of-thought in some cases, raising questions about the model's reasoning behavior that are independent of the capability benchmarks.
No comments yet
Be the first to comment