Frightening AI advances speed race to secure critical infrastructure

• Anthropic is limiting access to its Mythos Preview model for that reason. OpenAI is looking to do the same for a forthcoming release, a source familiar with those plans told Axios.
• But such capabilities won't remain locked down for long.
• Already, researchers have found readily available open-weights models that are capable of exploiting many of the decades-old bugs that Mythos Preview targeted in testing.

Driving the news: Anthropic said Tuesday it has no plans to release its Mythos Preview model to the general public, and other models in the Mythos line won't come up unless strict guardrails are in place and defenders have had more time to prepare.

• OpenAI also plans to roll out a forthcoming product with advanced cyber capabilities to a small subset of companies through its "Trusted Access for Cyber" program, the source told Axios.

The big picture: Hackers are already scary good at turning around exploits that target security flaws in software and hardware. Last year, 42% of vulnerabilities that were used in attacks hadn't even been publicly disclosed yet, according to CrowdStrike.

• Security experts now warn that the new models are likely good enough to both find and weaponize vulnerabilities in as little as a day — giving companies no room for error in their defenses.
• "Dwell time used to be 90 days, then it became six days," Rubrik CEO Bipul Sinha told Axios. "Now it has become zero [days], or seconds."

Threat level: Shutting off the lights or tampering with local water supplies typically requires a level of knowledge about specific tech stacks and internal systems that most hackers lack.

• With AI models that work 24/7 to find, exploit and map out a system, experts fear those attacks could be far easier to execute.
• Meanwhile, many critical infrastructure operators don't have the money for the technology and manpower needed to write and test patches for every vulnerability.

Between the lines: Cyber defenders tell me that limiting the rollout of highly cyber-capable AI models will give them an edge against attackers, especially in finding and fixing long-standing security vulnerabilities and building more secure software from the start.

• "This is an incredible time where the people who are building applications, that are building operating systems, can get a tremendous amount of cybersecurity scale by leveraging AI to help identify security vulnerabilities," Charles Carmakal, CTO at Mandiant, told Axios.

• Sinha added that the new approach will give companies the ability to adjust to a new threat landscape that is entirely driven by AI agents, not humans.
• "Agents will do the work in the enterprise, and agents are doing the attack," Sinha said. "Everything that is built for a human is irrelevant because the speed has changed."

Yes, but: The bigger issue for defenders isn't finding bugs but actually having the time and resources to fix them, Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told Axios.

• As AI dramatically increases the volume of discovered flaws, organizations could face a growing backlog of fixes even as attackers get faster at exploiting them, he added.

The flip side: Rolling out models in a restricted way could inhibit the maintainers of open-source projects — which are found in most modern internet appliances — that might need these capabilities the most, Aisle chief scientist Stanislav Fort told Axios.

• "The open-source maintainers who maintain the software the world runs on can't wait for an invitation to a trusted access program, given that the offensive side is very likely deploying AI already," he said.

What to watch: How the U.S. government's cyber leaders respond to these new tools — and whether new initiatives come out from the Cybersecurity and Infrastructure Security Agency or the White House to help beef up defenses for critical infrastructure.