“The unveiling of the new "Claude Mythos" artificial intelligence (AI) by the American company Anthropic has sparked a lively debate within the IT community over the past few days. Anthropic announced that Mythos had identified thousands of serious software vulnerabilities—including flaws in every major operating system and web browser, some of which had gone undetected for decades. This triggered significant concern in business and political circles that hackers could soon easily uncover countless previously unknown security holes in IT systems. Consequently, the AI provider is initially making its software available only to a select coalition of technology companies, enabling them to patch their own security vulnerabilities.
Some observers view Anthropic’s announcement primarily as a successful PR stunt. In the past, heads of AI companies have compared their technology to nuclear bombs for marketing purposes to emphasize the power of their models.
Yet, regardless of how individual models are assessed, artificial intelligence is fundamentally altering the threat landscape for IT systems. The genie is out of the bottle. Even if it doesn't turn out to be Claude Mythos, it is only a matter of time before a model with similar capabilities falls into the wrong hands.
After all, AI models available today are already proving useful to hackers. Anthropic’s earlier AI, Claude Code, already possessed excellent capabilities for scanning IT systems for vulnerabilities. AI helps hackers send far more realistic phishing emails that are perfectly tailored to local linguistic nuances. Cybercriminals use phishing emails to fraudulently obtain access credentials. Last November, Anthropic reported the first large-scale cyberattack carried out without substantial human intervention. Analysts at Gartner predict that by 2027, AI will cut in half the time attackers need to exploit compromised accounts.
So far, discovering security vulnerabilities can take months, even for experts. Consequently, it is currently easier for criminal attackers to gain access via the biggest vulnerability in any organization: people. Through phishing emails or "social engineering"—manipulating individuals into divulging information—they employ proven and effective methods. Even today, there are more vulnerabilities than hackers could possibly exploit. However, if exploiting security vulnerabilities becomes as simple as typing a prompt into an AI chatbot, it will mark a paradigm shift.
This threat landscape confronts a German economy that is already ill-prepared for the cyber threats of the past. While IT security spending has risen in recent years, small and medium-sized enterprises (SMEs) remain attractive targets for hackers. Furthermore, significant portions of critical infrastructure run on legacy systems that would almost certainly fail to withstand scrutiny.
Artificial intelligence presents both a risk and an opportunity. IT security has always been a cat-and-mouse game, with the advantage slightly favoring the attackers. AI is now drastically accelerating the attackers' "innovation cycles." Defenders must increasingly leverage AI to close vulnerabilities as quickly as they emerge. This is an ambitious goal—requiring a rapid acceleration of internal system testing processes—yet there is no alternative.
Moreover, in the age of AI, prevention becomes even more critical than reaction, as certain attack patterns may emerge faster than they can be detected and countered. AI can identify risky patterns during the development process, embedding security into the code from the outset. While the principle of "security by design" remains vital for the future, it cannot solve the problems posed by the countless outdated IT systems found in German companies and government agencies.
In any case, an old IT security adage holds true: getting hacked is not a question of *if*, but of *when*. Consequently, the assumption has long been that intruders will gain access. However, they often initially end up in relatively unimportant areas. The crucial thing is to ensure they cannot move freely through the system, escalate privileges, or reach critical systems.” [1]
1. Achtung, die KI-Hacker kommen. Frankfurter Allgemeine Zeitung; Frankfurt. 20 Apr 2026: 15. Von Maximilian Sachse
Komentarų nėra:
Rašyti komentarą