ECB: Looming AI Security Risk Requires Increased Cyber Spending by Euro Banks

A stark warning has been issued by the European Central Bank (ECB) to the region’s financial outlets; start spending more on cybersecurity and readiness, or be taken advantage of by the new LLMs coming soon from the likes of Anthropic and OpenAI. The ECB notes that Euro banks have been aware of this forthcoming AI security risk and preparing for some years, but the timetable needs to be sped up with the expectation that Mythos and similarly capable models will go public within a year.

The message was primarily delivered by outgoing ECB Vice President Luis de Guindos, as the final takeaway from several weeks of quizzing of Euro banks concluding with a final meeting at which an unspecified US bank shared some of the findings from its advance Mythos security testing. Outside of some select entities in the UK, Europe has been frozen out from Mythos testing to date and thus may be lagging somewhat in awareness of what it is going to mean for cybersecurity going forward.

Emerging AI security risk centers on vulnerability discovery and patching speed

To some extent, inability to access Mythos Preview may have slowed Euro banks in making necessary adjustments to address expected  near-term AI security risk. The ECB is warning that, access or no, organizations must be prepared for vulnerability scans by attackers that can turn up a buffet of unremediated issues in mere minutes.

As to when this threat goes from theoretical to real, the timeline is still uncertain. Anthropic has not set a firm date for the public release of Mythos, but believes that whatever it does there will be at least one comparably capable competitor model available in 6 to 12 months. The risk of internal leaks also has to be considered, as this has already happened to Anthropic themselves in recent months.

Some of the major US banks are among those granted advanced access to Mythos for security testing, and one was reportedly allowed to brief the Euro banks on some of its findings. Dozens of organizations in the EU are slated to soon get access to ChatGPT’s 5.5 model for testing, thought to be close to Mythos in capability, but the European Commission is still unsuccessfully petitioning Anthropic for advanced access.

The central piece of the AI security risk is that the LLMs will uncover vulnerabilities almost immediately, and current standard patching methods and cycles will likely not be able to keep pace. An increase in patching speed and move to greater automation is necessary, and obviously something the same AI models will likely assist with. But this also means changes to things like risk containment and approval boundaries for critical systems. Organizations will have to shift from periodic response to the discovery of a major vulnerability, to the expectation that new vulnerabilities will continually be leveraged.

Are Euro banks past the point of catching up?

There are some shreds of information coming out of the Anthropic internal “Project Glasswing” testing of Mythos’ offensive capability that are instructive. One is the comparison between one of the most high-profile test subjects, the Firefox browser, and the smaller-scale but still fairly well-known “curl” project. Mythos quickly spotted hundreds of vulnerabilities in the much more well-funded Firefox, but just one in curl. What was the primary difference? The curl project has been making concerted efforts to stay on top of exactly this sort of AI security risk for years now, using presently available AI tools to explore for vulnerabilities and actively remediate them.

Thus it may not be entirely necessary that Euro banks get early access to Mythos, or even to any comparable model. As the ECB stresses, the key is budgeting for preparation for expected AI security risk with what’s presently available.