A new generation of experimental, frontier AI models are rapidly developing the ability to discover and exploit software vulnerabilities and business leaders need to start to pay attention, the UK government has warned.
In an open letter to Britain’s business leaders published on 15 April, business secretary Liz Kendall said the threats organisations face in cyber space are changing and their responses need to change, too.
“For years, the most serious cyber attacks have relied on a small number of highly skilled criminals. That is now shifting,” she said. “AI models are becoming capable of doing work that previously required rare expertise: finding weaknesses in software, writing the code to exploit them, and doing so at a speed and scale that would have been impossible even a year ago.”
Following the recent debut of Anthropic’s frontier model, Mythos, and its accompanying Project Glasswing – which is intended to give some of the world’s largest technology companies a head start on addressing the vulnerabilities it can supposedly uncover – Kendall revealed that the UK’s AI Security Institute (AISI) operated by the Department for Science, Innovation and Technology (DSIT) has been testing out its capabilities.
She said AISI had found Mythos to be “substantially more capable at cyber offence than any model we have previously assessed.”
According to the AISI, frontier model capabilities are doubling every four months, down from eight months in the recent past.
“This finding is significant both for what it means today, but also because it highlights the speed at which AI capabilities are increasing and the threats they potentially pose,” said Kendall
“OpenAI also announced scaling up their Trusted Access for Cyber programme last night, showing that AI’s accelerating impact on cyber is not isolated to a single company, and we expect more to follow.
“The trajectory is clear and therefore it is vital that we are prepared for frontier AI model capabilities to rapidly increase over the next year, and plan accordingly for that outcome,” she said.
Responding to the threat
Kendall said the UK government is not standing still in response to this threat – having opened up the AISI two-and-a-half years ago, she said the nation now boasts the most advanced capabilities anywhere in the world for understanding frontier AI models.
More broadly, she continued, the National Cyber Security Centre (NCSC) continues to work up practical guidance for end-user organisations, while the upcoming Cyber Security and Resilience Bill and the National Cyber Action Plan – soon to be published, will also move things in the right direction.
But, said Kendall, government action alone is insufficient. “Every business in the UK has a part of play. Criminals will not just target government systems and critical infrastructure. They will target ordinary companies, of every size, in every sector. Attackers go where defences are weakest,” she said.
Kendall urged business leaders and board members to ensure they are regularly discussing cyber risks and not delegating such things to IT teams, and consider signing up to the Cyber Governance Code of Practice if they have not already, while smaller business can avail themselves of the NCSC’s Cyber Action Toolkit. All businesses should also be planning and rehearsing incident response practices, and considering taking out cyber insurance.
She also pointed businesses towards the Cyber Essentials certification scheme to help organisations establish basic security policies and procedures, and additionally highlighted resources provided by the NCSC – notably its Early Warning service – and by regulators for regulated sectors.
“We are entering a period in which the pace of technological change may test every institution in the country. The businesses that act now – that treat cyber security as an essential part of running a modern company, not an optional extra – will be the ones best placed to thrive through it and seize its advantages. We urge you to be among them,” said Kendall.
