Anthropic’s Claude Mythos is a large language model designed to supercharge computer security. But in the hands of hackers, it can be a powerful tool to exploit vulnerabilities.
The company announced Project Glasswing April 7 to use Mythos Preview for defensive security work. “We formed Project Glasswing because of capabilities we’ve observed in a new frontier model trained by Anthropic that we believe could reshape cybersecurity,” Anthropic said.
Companies including AWS, Apple, Google, Microsoft, Palo Alto Networks and others are approved to use Mythos Preview as part of their defensive security work. When Mythos Preview was made available to them, Anthropic said the model had already found “thousands of high-severity vulnerabilities, including some in every major operating system and web browser.”
Anthropic plans to share what it learns from Project Glasswing and additional early users to strengthen security for both first-party and open-source systems.
Here are 10 things to know:
1. Claude Mythos can identify vulnerabilities to patch, but users can also reverse engineer the vulnerabilities to exploit them. If hackers identify a vulnerability, they could quickly design a program to exploit it and attack users before patches are complete. For healthcare executives, this means EHR infrastructure, medical device software and old versions of medical technology are at particular risk.
2. Large companies are already reporting on the power of Mythos. The Wall Street Journal reported Calif, a security research company, said it was able to circumvent Apple’s security technology with Mythos in five days. The code corrupted the Mac’s memory and gained access to parts of a device that it shouldn’t. Apple is in the process of validating Calif’s report.
3. Cisco, another company that received early access to Mythos, is finding ways the technology can defend its network. The New York Times reported Anthony Grieco, senior vice president and chief security and trust officer, said Mythos was “significantly more powerful” when compared with other systems and advised organizations to be “super aggressive” in using the technology to fix vulnerabilities.
4. Cyberattacks are likely to increase as hackers automate vulnerability discovery, which the Journal dubbed a “bugmageddon.” Hospital IT executives can expect more attacks and alerts in the future. It will be essential for executives to act quickly, automating initial response accountabilities.
5. The timeline for patching vulnerabilities will be reduced from weeks to hours. Hospitals are used to long patch cycles and will need to act much quicker to secure their systems. CNBC reported that Lee Klarich, Palo Alto Networks’ technology chief, said organizations would have three to five months before AI-driven exploits will be “the new norm.”
6. Hospitals with legacy software that is no longer supported will be exposed to additional risk. This is a particular issue for health systems acquiring hospitals or technologies at the end of their life cycle.
7. Mythos is best at mimicking previous cyberattacks and doesn’t typically develop new techniques, according to the Times.
8. HIPAA-breach notification timelines are long now and could be compressed as attacks intensify. Compliance teams should ensure that current systems are designed for rapid incident response and disclosure.
9. Health systems are increasingly engaging with Anthropic as internal Claude use expands — in both approved and unapproved ways. As hospitals and health systems enter into business agreements, security remains a top priority to keep organizations safe and allow their teams to innovate quickly.
10. The Trump administration may depart from the “noninterventionist” policy around AI by considering government oversight for new AI models after learning about Mythos, according to the Times. The president may also convene an AI working group to examine current oversight and potentially formalize a new AI model review process.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.