Anthropic caused an industrywide panic last week when it announced Claude Mythos Preview, an AI model with a knack for uncovering high-level cybersecurity vulnerabilities.
Among its achievements, the model found a now-patched weak spot in OpenBSD, an operating system known for its security, that Anthropic claimed went undiscovered for 27 years.
It has also found “thousands of additional high- and critical-severity vulnerabilities” across open-source and closed-source programs, according to the company.
Tech insiders and other experts subsequently freaked out over the potential for the large language model to upend cybersecurity, but one 25-year industry veteran is skeptical.
David Lindner, chief information security officer at Contrast Security, told Fortune that while Mythos may help find myriad problems, this isn’t necessarily the most important issue.
“We’ve never had a problem finding vulnerabilities. We find them every day. We actually have a pile of them that we just don’t fix,” he said. “So I don’t think that really changes anything.”
Lindner pointed out that weak spots are easier to find than to fix, noting that Anthropic’s blog post announcing Mythos stated over 99% of the vulnerabilities the model uncovered haven’t been patched.
More specifically, he said, Mythos does little to help solve one of the biggest issues facing cybersecurity experts: social engineering. Hackers can still use existing tools and AI to impersonate an employee’s boss or an IT worker and gain access to systems, he argued.
Anthropic has said Mythos is so powerful it won’t be publicly released, and it is being made available only to a group of 40 organizations including tech companies such as Microsoft, Apple, and Google, as well as others like cybersecurity company CrowdStrike and bank JPMorgan Chase so they can use the technology to improve their own security infrastructure through an effort it called Project Glasswing.
Because so many people have access to the model, Lindner also predicted it won’t be kept a secret for long.
“Even if they, quote unquote, don’t release it, China will have a version in five or six months, and there’ll be an open-source version within a year or two,” he said.
Incidentally, Fortune was the first to report on the development of Mythos, thanks to a security lapse in which the company left details about the large language model in a publicly accessible database.
Meanwhile, venture capitalist Marc Andreessen has raised questions about whether Anthropic is really holding back the release of Mythos because of security concerns or because it lacks the compute to support a general rollout. Anthropic has faced frequent outages recently and has limited users’ computing supply during peak times, the Wall Street Journal reported this weekend.
Still, other cybersecurity experts remain vigilant about Mythos and its potential to reshape cybersecurity. Zach Lewis, the chief information officer and chief information security officer at the University of Health Sciences and Pharmacy in St. Louis, told Fortune he is worried Mythos will make it that much easier for bad actors, even those with little coding experience, to exploit systems.
“Threat actors don’t even need to know about—they don’t need to have a background in—coding or software design to understand how these systems work. They can deploy an agent that can do it for them,” he said.
Part of the solution for organizations may lie in doubling down on the strategies that are already foiling hundreds if not thousands of exploit attempts per day, according to Lewis.
This includes patching existing vulnerabilities and making sure that the permissions employees have are strictly limited so they can’t be exploited.
“You’ve got to get that stuff locked down,” he said.
The post Anthropic caused panic that Mythos will expose cybersecurity weak spots, but one industry veteran says the real problem is fixing, not finding, them appeared first on Fortune.
