AI-powered cyber attacks may be just months away, warn Five Eyes

Powerful AI models could be used to conduct cyber attacks within a matter of months, western intelligence agencies warned today, placing governments and businesses at greater risk.

The leaders of the Five Eyes cyber security agencies, which include the UK, USA, Canada, Australia and New Zealand, warned today that “frontier AI” models will pose a greater risk to cyber security than expected.

“The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years. We must act before and be prepared to adapt and withstand evolving threats,” the agencies said in an unprecedented warning.

Their advice echoes concerns that hostile states such as China, Russia, Iran and North Korea may rapidly catch-up with AI capabilities developed by the US and available to organisations in Europe, giving them offensive cyber capabilities far in advance of today.

It follows a decision by the US government to prohibit the use of two of Anthropic’s most advanced AI models, Claude Mythos and Fable by foreign nationals, stating that their export is a “national security” risk.

The Five Eyes statement warns that AI is no longer a future consideration for cyber security but that the risks are already here.

“Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months,” it says.

The Five Eyes groups urge business leaders to go further than the often repeated recommendations to build secure systems and build resilience against cyber attacks, by using AI to strengthen their cyber defences.

“Adversaries are already using AI to move faster and more effectively. Defenders must do the same,” they say.

“Organisations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents – reducing both the cost and impact of incidents”, the notice adds.

The Five Eyes say that the rapid pace of frontier AI development means that cyber risk assumptions can become outdated in months, not years.  “We must act before and be prepared to adapt and withstand evolving threats”.

Company boards and executives should ensure their companies are resilient to cyber threats, and ensure they are confident that controls in place will perform during a real cyber incident.

“Breaches will occur. Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises,” the warning states.

The chief Executive Officer of GCHQ’s National Cyber Security Center, which published the advisory in advance of other Five Eyes members, Richard Horne said the growing capability of AI meant that a “step change” in collective cyber defence is required.

“Our shared position with international partners on what frontier AI means for cyber security is clear: recent developments are shifting the global threat landscape, and it is crucial that defenders keep up,” he said. 

“It is more important than ever that every member of an organisation, from the Board to the IT desk, work towards a shared mission: keeping our online world secure from those who would harm it,” he added.