Mythos highlights the need for European cooperation on AI

Mythos as global news

The cybersecurity world was shaken last month by news that the American AI company Anthropic has developed a new AI model called ‘Mythos’. According to the company, the model is capable of identifying software vulnerabilities that, if made public, it would pose significant cybersecurity risks. It could, for example, threaten the global payment system. Unsurprisingly, Mythos was widely discussed during the Spring Meetings of the International Monetary Fund.

Anthropic, which previously set limits on the use of its AI models for autonomous weapon systems, stated that it will not release the model publicly for the time being due to societal risks. Instead, the company has made it available to several leading US technology firms, including Microsoft, OpenAI and Amazon. The aim of Project Glasswing is to enable these companies to identify vulnerabilities using Mythos and subsequently ‘patch’ them, meaning to fix software weaknesses to ensure security.

AI as a threat to cybersecurity

Some experts also view Anthropic’s claims about Mythos primarily as a marketing strategy to promote the company’s AI models. Because the model is not publicly available, its reported capabilities cannot be independently verified. Nevertheless, software companies, software-intensive organisations and governments take the risks of offensive AI in cybersecurity very seriously.

The reason is that more companies are developing similar AI models. Even if Mythos is less powerful than claimed, it seems only a matter of time before an AI model emerges that can detect vulnerabilities faster than experienced software experts. Experts therefore predict that the time between the public disclosure of vulnerabilities and their exploitation by hackers could shrink from days to seconds. This would fundamentally change the field of software security: how can providers and users protect themselves?

‘The challenge with AI is that its use is expanding faster than regulation.’

^{Anne Fleur van Veenstra, Director of Science}

AI continues to take us by surprise

Although artificial intelligence has existed for decades and many of its applications were long anticipated, each breakthrough still seems to come as a surprise. This was the case when a chess computer first defeated a world chess champion, when OpenAI launched the generative AI assistant ChatGPT and disrupted search engines, and again with the announcement of Mythos.

As a result, each new - and often far-reaching - AI development is treated as a standalone event. Consequently, a separate solution is sought for the risks and challenges of each development. However, AI is here to stay: according to Statistics Netherlands (CBS), by 2024, 22.7% of companies with ten or more employees were already using one or more AI technologies. The challenge is that the adoption of AI is outpacing its regulation. Rules and enforcement continue to lag behind technological development and use.

For example, the European AI Act was announced in 2019 by Ursula von der Leyen, the newly appointed President of the European Commission, but only entered into force in August 2024. In the meantime, generative AI became mainstream, requiring adjustments to legislation that was already underway. In the Netherlands, it also took two years to develop the AI Act Implementation Act, which establishes the national supervisory framework.

Collaboration as the answer

The lengthy process of developing and implementing legislation and enforcement is not surprising. However, the gap between the speed of AI development and the ability of governments and organisations to respond to its risks has become significant. There is therefore a need for responses to the unintended consequences of AI, such as cybersecurity threats, to be developed almost in real time.

Given the speed required to monitor and respond to the impact of AI, particularly for critical applications such as our essential infrastructure, it is unlikely that any single organisation can build all the necessary expertise. Collaboration between governments, knowledge institutions, regulators and industry will be crucial, not only in the Netherlands, but across Europe.

Working together on ‘by design’

This collaboration should focus on developing structural ‘by design’ capabilities. For example, to counter the risks posed by Mythos through ‘cybersecurity by design’. This means that cybersecurity experts work alongside AI specialists, software engineers, as well as legal and ethics experts to ensure that security is embedded into software systems from the outset. Such collaboration must be established quickly and remain adaptable to address the rapidly evolving risks of AI. Only then can we respond in time to risks facing our critical information infrastructure, including systems such as the global payments network.