Jürgen Fälchle - stock.adobe.c
UK's NCSC warns of ‘wave of patches’
Vulnerability discovery and mitigation continues to exercise the top minds at Britain’s NCSC as cyber experts continue to debate the impact of frontier AI models like Mythos.
Whether or not Anthropic’s Claude Mythos frontier AI model is going to be a game changer for software vulnerability discovery, or whether it is a load of hot air, remains to be seen, but the broader subject is of gathering concern to the UK’s National Cyber Security Centre (NCSC), which has warned that a tsunami of costly and time-consuming technical issues is bearing down on all organisations.
Writing on the NCSC’s website, the agency’s chief technology officer Ollie Whitehouse said the industry has prioritised short-term gains over building resilient products and services, and that with the advent of AI-driven vulnerability discovery, their chickens are about to come home to roost.
“Artificial intelligence, when used by sufficiently-skilled and knowledgeable individuals, is showing the ability to exploit this technical debt at scale and at pace across the technology ecosystem,” wrote Whitehouse.
“As a result, the NCSC expect[s] there will be a ‘forced correction’ to address this technical debt across all types of software, including open source, commercial, proprietary and software as a service.”
Added Whitehouse: “This is why we are encouraging all organisations to prepare now for when a ‘patch wave’ arrives; a rush of software updates that will need to be applied across the technology stack to address the disclosure of new vulnerabilities.”
Considering how chief information security officers (CISOs), security leaders and teams should respond to this sea-change, the NCSC has publicised guidance centred on three core pillars.
Prioritise external surfaces
The first of these pillars is the prioritisation of external attack surfaces. Security teams should work to identify any attack surfaces that are exposed to the public internet as soon as possible. Teams should start with technology on the perimeter of the network, and then work their way inwards, via cloud instances, to on-prem environments.
When vulnerabilities come to light, in instances where updates cannot be applied across the entire environment, security teams should prioritise external attack surfaces, and where capacity extends beyond external surfaces, they should lead with critical security systems.
This said it is important to remember that patching by itself will not always be enough. There may – indeed there very probably is – still technical debt in end-of-life or legacy systems that can’t be patched. If these cannot be brought back within support then they need to be replaced.
Prepare to patch faster and more regularly
The second pillar concerns patch management. Here, organisations should plan to deploy vital software updates quicker, more often, and at scale, including within their supply chains. The NCSC said it is expecting an influx of updates to address flaws at varying levels of severity – many of them are likely to be critical.
The agency recommends organisations priorities activating supplier-provided automatic, secure hot-patching features that don’t involve service disruption – this will have the pleasant side-effect of reducing the security team’s workload.
But if automated patching is not available, security leaders will need to plan to ensure processes and risk appetites support frequent, scaled updates, accounting for the inevitable trade-offs around disruption. Risk-based approaches, such as the Stakeholder Specific Vulnerability Categorisation (SSVC) system can be used to prioritise installing the updates.
Of course, this assumes that critical flaws aren’t under active exploitation – those that do present as zero-days, especially those affecting external-facing systems, will need to have their update schedules brought forward.
Prioritise the basics
The third and final pillar is to look beyond simply updating vulnerable software. Patching alone won’t address the systemic cyber security problems faced by the overwhelming majority of organisations.
The NCSC renewed its appeal to technology firms to ensure systemic technical debt is minimised through memory safety and containment technologies where appropriate.
At end-user organisations, CISOs should keep focus on the fundamentals of cyber security to improve their overall resilience and reduce the impact of breaches through whatever means they originate – whether that be through a vulnerable product or something else. Such an approach should include seeking Cyber Essentials certification, or running the Cyber Assessment Framework for essential services operators.
“[The] NCSC advise[s] all organisations, irrespective of size, to plan and prepare for the vulnerability patch wave. A good place to start is by reading the NCSC’s updated Vulnerability Management guidance,” said Whitehouse.
“For larger organisations, we also recommend working to gain assurance from your supply chains both commercial and open source, so that they are prepared to navigate any required response.”
Lionel Litty, CISO at Menlo Security, said: “This is a timely update from the NCSC. It makes two important points: the external attack surface needs to be prioritised and we need to go beyond software updates and look at containment technologies to reduce the impact of breaches.
“For the majority of users, the web browser is where most of the external attack surface exists. To make this more concrete: just last week, Mozilla announced that it fixed 271 vulnerabilities in the Firefox browser. These vulnerabilities were found using Claude Mythos, Anthropic's latest AI model. This is up from 22 vulnerabilities found by the previous iteration of Claude.
“This highlights the need not only to ensure that your organisation can rapidly and comprehensively deploy browser updates, but also to fundamentally reduce the risk,” said Litty. “Technology such as remote browser isolation can move the attack surface off the user's endpoint, minimising the damage if a user is exposed before their browser is patched.”
Read more about Anthropic's Claude Mythos model
- During the annual CETaS showcase in London, experts discussed the potential cyber risk of tools such as Claude Mythos.
- Technology secretary Liz Kendall urges Britain’s business community to sit up and pay attention to emerging AI threats, following the debut of Anthropic’s new frontier model, Mythos.
- Letting probabilistic AI models autonomously operate inside production networks creates real safety and auditability issues, and that core security validation still needs deterministic guardrails. And Anthropic just raised the stakes.
Read more on Application security and coding requirements
-
![]()
Cyber experts take an optimistic view of AI-powered hacking
By: Cliff Saran
-
![]()
AI security risks force CIOs to rethink strategy
By: Jim O'Donnell
-
![]()
Claude Mythos Preview and the new rules of cybersecurity
By: Kinza Yasar
-
![]()
Weekly news roundup: Tim Cook exits Apple, Meta layoffs intensify and Anthropic investigates Claude
By: Rosa Heaton
