Skórzewiak - stock.adobe.com

AI-powered cyber attacks may be just months away, warn Five Eyes

Frontier AI models will pose a greater cyber security risk to governments and businesses than previously thought, putting them at risk within months

Powerful artificial intelligence (AI) models could be used to conduct cyber attacks in a matter of months, Western intelligence agencies warned today, placing governments and businesses at greater risk.

The leaders of the Five Eyes cyber security agencies, including the UK, US, Canada, Australia and New Zealand, said “frontier AI” models will pose a greater risk to cyber security than expected.

“The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years,” the agencies said in an unprecedented warning. “We must act before, and be prepared to adapt and withstand evolving threats.”

Their advice echoes concerns that hostile states such as China, Russia, Iran and North Korea may rapidly catch up with AI developed by the US and available to organisations in Europe, giving them offensive cyber capabilities far ahead of today’s.

It follows a decision by the US government to prohibit the use of two of Anthropic’s most advanced AI models, Claude Mythos and Fable, by foreign nationals, stating that their export is a “national security” risk.

The Five Eyes statement warned that AI is no longer a future consideration for cyber security, but that the risks are already here. “Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities,” it said. “The timeline is not years, it is months.”

Building resilience

The Five Eyes groups urge business leaders to go further than the often-repeated recommendations to build secure systems and build resilience against cyber attacks by using AI to strengthen their cyber defences.

“Adversaries are already using AI to move faster and more effectively,” they said. “Defenders must do the same.

“Organisations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour and respond faster to incidents – reducing both the cost and impact of incident.”

The Five Eyes said the rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years. “We must act before and be prepared to adapt and withstand evolving threats,” they added.

Company boards and executives should ensure their companies are resilient to cyber threats, and that they are confident their controls will perform during a real cyber incident.

“Breaches will occur,” the statement continued. “Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises.”

Richard Horne, the chief executive officer of GCHQ’s National Cyber Security Center, which published the advisory in advance of other Five Eyes members, said the growing capability of AI meant a “step change” in collective cyber defence is required.

Our shared position with international partners on what frontier AI means for cyber security is clear: recent developments are shifting the global threat landscape, and it is crucial that defenders keep up,” he said. 

“It is more important than ever that every member of an organisation, from the board to the IT desk, work towards a shared mission: keeping our online world secure from those who would harm it,” added Horne.

Five Eyes advice for basic security

  1. Reduce your attack surface: Limit unnecessary system access and external connectivity. Challenge whether systems need to be exposed at all and isolate those that do not.
  2. Accelerate patching processes: AI is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. Prioritise security updates accordingly to manage risks.
  3. Address legacy systems: Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities.
  4. Review and strengthen identity and access controls: Limit who can access critical systems. Enforce strong authentication and regularly review permissions.
  5. Prepare for incidents before they happen: Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery.

Source: Five Eyes/NCSC advisory. 

Read more on Hackers and cybercrime prevention