Mythos AI Being Used in NSA Cyber Operations?

The new Mythos AI, along with all other Anthropic products, are supposed to be under a ban for use by federal agencies and their contractors. But there have been rumblings about the National Security Agency (NSA) nevertheless continuing to use and test them since April. More fuel has been added to that fire as an anonymous source has come forward to claim that Anthropic now has engineers embedded with the agency providing training and ongoing support to its cyber operations.

The big question is how far this goes, which the source does not provide much detail on. The whole conflict between Anthropic and the US government started with the company’s declaration that it would not support its products being used for domestic spying or in the operation of autonomous weapons. There are a lot of cyber operations the NSA engages in that would fall outside of that scope, given its focus on foreign espionage and hacking. The other question this raises is whether the government’s position on Anthropic is softening given the demonstrated ability of Mythos AI to scout out vulnerabilities.

Extent of Anthropic involvement in government cyber operations remains unclear

At the most benign end, AI can be used in cyber operations for quickly processing intelligence data and summarizing long and complex reports for analysts; there were prior news reports on the NSA continuing to use Claude for this purpose even after it was banned. But Mythos AI’s specialty, and the reason it’s creating such a buzz right now, is its ability to unearth nearly all the vulnerabilities in a target potentially within mere minutes. In some cases these vulnerabilities have been in place for over 15 years without being previously detected.

The NSA has almost certainly been testing its own systems in this way with Mythos AI, and quite possibly other federal systems. But the deployment of “about half a dozen” engineers from Anthropic to embed with them suggests a more involved level of engagement with their cyber operations.

So does that mean Anthropic is going back on their word? There is plenty of wiggle room if their involvement is strictly with NSA cyber operations. The agency is not involved with the development of kinetic weapons, but it does develop and make use of cyber weapons (such as the Stuxnet worm). As far as domestic surveillance, at least on paper the agency is supposed to be pointed at foreign enemies and spies. The Snowden leaks revealed that it at least has had involvement in bulk warrantless data collection, however.

News comes as Mythos AI access expands to new nations

This report comes just after Anthropic’s announcement that the “Project Glasswing” security testing preview of the Mythos AI is being expanded from about 40 to about 150 participants. Anthropic does not publish a list of these groups, but many have independently confirmed their access and a number of new nations are now included. This includes the main cybersecurity agencies of the EU and South Korea among others.

If any doubt remained, this news indicates that the Mythos AI capability is for real and that the age of fully automated patching and AI-driven behavior monitoring being a basic requirement is just about here. In addition to this, it should be a very strong prompt to organizations to minimize publicly accessible attack surfaces as much as possible and to review all legacy systems and applications for potential upgrades.